servlet sendRedirect() to j_security_check problem (remember me)

Discussion:

Matt Raible

2003-12-03 20:24:05 UTC

Chris,

I found your post at
http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/
msg111700.html and I'm cc'ing the list in case anyone else is
interested in this info (I'm not subscribed).

I've actually improved the "Remember Me" feature a fair amount since I
posted to the Tomcat User list. The sendRedirect works, however, it
(in some browsers) puts the URL (with password) into the address bar.
This isn't a big deal IMO since it's the user that just logged in and
they don't mind seeing their own passwords. However, the URL tends to
show up in server log files which can be a security hole. Because of
this, I changed to using an HTTP Post with Jakarta Common's HttpClient.
I also moved my form-login-page and form-error-page into a "security"
folder and then set my cookies for the /appname/security path rather
than / - this makes it so the user/pass cookies are more secure and can
only be retrieved when logging in, rather than for any URL in the site.

That being said, I've updated one of my sample apps with these changes
and you can download it if you'd like:

http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse

Here's my updated LoginServlet that does an Http Post instead of a Get:

http://tinyurl.com/xl80

HTH,

Matt

Hi Matt,
Sorry for sending unsolicited email but I've been looking at some
of your postings to Tomcat-User and wondered if I could ask a
couple of questions. I've tried posting to list but had no response
from anyone there.
Specifically, it's regarding your "remember me" login stuff. If this
is a pain feel free to ignore this email.
Best regards
Chris
p.s. My question the list was under the subject
"servlet sendRedirect() to j_security_check problem"
--
Chris Ward, Horizon Asset Limited
Tel +44 (20) 7367 7028, Fax 7367 7029
--
THIS E-MAIL MAY CONTAIN CONFIDENTIAL AND/OR PRIVILEGED INFORMATION.
IF YOU ARE NOT THE INTENDED RECIPIENT (OR HAVE RECEIVED THIS E-MAIL
IN ERROR) PLEASE NOTIFY THE SENDER IMMEDIATELY AND DESTROY THIS E-
MAIL. ANY UNAUTHORISED COPYING, DISCLOSURE OR DISTRIBUTION OF THE
MATERIAL IN THIS E-MAIL IS STRICTLY FORBIDDEN.
HORIZON ASSET LIMITED IS AUTHORISED AND REGULATED
BY THE FINANCIAL SERVICES AUTHORITY.

Adam Hardy

2003-12-03 23:21:00 UTC

Permalink

Matt,
are you really managing to post a form to j_security_check without
invoking it first, or is that some sort of black magic you've cooked up?

Or have I just misunderstood what Chris said?

Adam

Post by Matt Raible
Chris,
I found your post at
http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/
msg111700.html and I'm cc'ing the list in case anyone else is
interested in this info (I'm not subscribed).
I've actually improved the "Remember Me" feature a fair amount since I
posted to the Tomcat User list. The sendRedirect works, however, it
(in some browsers) puts the URL (with password) into the address bar.
This isn't a big deal IMO since it's the user that just logged in and
they don't mind seeing their own passwords. However, the URL tends to
show up in server log files which can be a security hole. Because of
this, I changed to using an HTTP Post with Jakarta Common's HttpClient.
I also moved my form-login-page and form-error-page into a "security"
folder and then set my cookies for the /appname/security path rather
than / - this makes it so the user/pass cookies are more secure and can
only be retrieved when logging in, rather than for any URL in the site.
That being said, I've updated one of my sample apps with these changes
http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse
http://tinyurl.com/xl80
HTH,
Matt

--
struts 1.1 + tomcat 5.0.14 + java 1.4.2
Linux 2.4.20 RH9

Matt Raible

2003-12-03 23:52:54 UTC

Permalink

It's standard container managed security stuff - I first invoke a
protected URL - in index.jsp - I redirect to mainMenu.do - and *.do is
protected. Based on security constraints in web.xml, I'm presented
with a form-login-page "login.jsp" - rather than having
action="j_security_check" in this form, I have
action="/security/authorize" - which is mapped to my own LoginServlet.
In the LoginServlet, I encrypt the password (optionally based on an
init-parameter), set some cookies and do an HTTP Post to
j_security_check. Works on Tomcat 4-5 and Resin 3.x.

Matt

Post by Adam Hardy
Matt,
are you really managing to post a form to j_security_check without
invoking it first, or is that some sort of black magic you've cooked up?
Or have I just misunderstood what Chris said?
Adam

Post by Matt Raible
Chris,
I found your post at
http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/
msg111700.html and I'm cc'ing the list in case anyone else is
interested in this info (I'm not subscribed).
I've actually improved the "Remember Me" feature a fair amount since
I posted to the Tomcat User list. The sendRedirect works, however,
it (in some browsers) puts the URL (with password) into the address
bar. This isn't a big deal IMO since it's the user that just logged
in and they don't mind seeing their own passwords. However, the URL
tends to show up in server log files which can be a security hole.
Because of this, I changed to using an HTTP Post with Jakarta
Common's HttpClient. I also moved my form-login-page and
form-error-page into a "security" folder and then set my cookies for
the /appname/security path rather than / - this makes it so the
user/pass cookies are more secure and can only be retrieved when
logging in, rather than for any URL in the site.
That being said, I've updated one of my sample apps with these
http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse
http://tinyurl.com/xl80
HTH,
Matt

--
struts 1.1 + tomcat 5.0.14 + java 1.4.2
Linux 2.4.20 RH9

Adam Hardy

2003-12-04 13:02:26 UTC

Permalink

That's a fairly circuitous route for a login. I guess you do what you
have to do though.

I was wondering whether I could adapt it to allow an SSL login form to
be used to login to non-SSL pages, but I think the httpClient would
leave the j_security_check post in plain text on the net - unless it
never leaves the server, but I'm not sure that would be possible.

Adam

Post by Matt Raible
It's standard container managed security stuff - I first invoke a
protected URL - in index.jsp - I redirect to mainMenu.do - and *.do is
protected. Based on security constraints in web.xml, I'm presented with
a form-login-page "login.jsp" - rather than having
action="j_security_check" in this form, I have
action="/security/authorize" - which is mapped to my own LoginServlet.
In the LoginServlet, I encrypt the password (optionally based on an
init-parameter), set some cookies and do an HTTP Post to
j_security_check. Works on Tomcat 4-5 and Resin 3.x.
Matt

Post by Matt Raible
Chris,
I found your post at
http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/
msg111700.html and I'm cc'ing the list in case anyone else is
interested in this info (I'm not subscribed).
I've actually improved the "Remember Me" feature a fair amount since
I posted to the Tomcat User list. The sendRedirect works, however,
it (in some browsers) puts the URL (with password) into the address
bar. This isn't a big deal IMO since it's the user that just logged
in and they don't mind seeing their own passwords. However, the URL
tends to show up in server log files which can be a security hole.
Because of this, I changed to using an HTTP Post with Jakarta
Common's HttpClient. I also moved my form-login-page and
form-error-page into a "security" folder and then set my cookies for
the /appname/security path rather than / - this makes it so the
user/pass cookies are more secure and can only be retrieved when
logging in, rather than for any URL in the site.
That being said, I've updated one of my sample apps with these
http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse
http://tinyurl.com/xl80
HTH,
Matt

--
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian

Chris Ward

2003-12-04 15:00:52 UTC

Permalink

Thanks for the extra info Matt (& Adam)

I'm going to try to continue with my login work next
week - the newer version of Matt's "Remember-me" JSP/Servlet/Filter
seems to have a lot going on in there. I feel a little daunted
to be honest. But I shall play around with it some more.

Thanks again for all the good advice guys - I'll probably be in
touch next week.

Best regards,
Chris

-----Original Message-----
Sent: Thursday, 4 December 2003 13:02
To: Tomcat Users List; Matt Raible
Subject: Re: servlet sendRedirect() to j_security_check problem
(remember me)
That's a fairly circuitous route for a login. I guess you do what you
have to do though.
I was wondering whether I could adapt it to allow an SSL
login form to
be used to login to non-SSL pages, but I think the httpClient would
leave the j_security_check post in plain text on the net - unless it
never leaves the server, but I'm not sure that would be possible.
Adam

Post by Matt Raible
It's standard container managed security stuff - I first invoke a
protected URL - in index.jsp - I redirect to mainMenu.do -

and *.do is

Post by Matt Raible
protected. Based on security constraints in web.xml, I'm

presented with

Post by Matt Raible
a form-login-page "login.jsp" - rather than having
action="j_security_check" in this form, I have
action="/security/authorize" - which is mapped to my own

LoginServlet.

Post by Matt Raible
In the LoginServlet, I encrypt the password (optionally based on an
init-parameter), set some cookies and do an HTTP Post to
j_security_check. Works on Tomcat 4-5 and Resin 3.x.
Matt

Post by Adam Hardy
Matt,
are you really managing to post a form to j_security_check without
invoking it first, or is that some sort of black magic

you've cooked up?

Post by Matt Raible

Post by Adam Hardy
Or have I just misunderstood what Chris said?
Adam

amount since