Struts and Form-Based Authentication

D

Dom

Hi,

I am using Form-Based Authentication with Struts and Tomcat.

When I log in I want to first process the form through struts and then
force the container security framework to authenticate the user
through a sendRedirect. The reason why I want to do this is because if
the user checks the remember me option I can then set up a cookie to
store their typed in username and password.

My login.jsp is:
<html:form action="login.do">
Username:<html:text name="loginForm" property="j_username"/><br>
Password:<html:text name="loginForm" property="j_password"/><br>
<html:submit property="whichAction"
title="Submit">Submit</html:submit>
</html:form>

My code that processes this form in LoginAction:
LoginForm loginForm = ((LoginForm)form);
String auth = "j_security_check?j_username=" +
loginForm.getJ_username() + "&j_password=" +
loginForm.getJ_password();
response.sendRedirect(auth);


The sendRedirect does not work. How do I make struts understand that I
want it to process the container "j_security_check"?

Can someone help please?

Dom
 
B

Bryce

Hi,

I am using Form-Based Authentication with Struts and Tomcat.

When I log in I want to first process the form through struts and then
force the container security framework to authenticate the user
through a sendRedirect. The reason why I want to do this is because if
the user checks the remember me option I can then set up a cookie to
store their typed in username and password.

My login.jsp is:
<html:form action="login.do">
Username:<html:text name="loginForm" property="j_username"/><br>
Password:<html:text name="loginForm" property="j_password"/><br>
<html:submit property="whichAction"
title="Submit">Submit</html:submit>
</html:form>

My code that processes this form in LoginAction:
LoginForm loginForm = ((LoginForm)form);
String auth = "j_security_check?j_username=" +
loginForm.getJ_username() + "&j_password=" +
loginForm.getJ_password();
response.sendRedirect(auth);


The sendRedirect does not work. How do I make struts understand that I
want it to process the container "j_security_check"?

Can someone help please?
Click to expand...

Don't know off the top of my head, but you could take a look at
AppFuse. They have this functionality built in.

https://appfuse.dev.java.net/
 
N

NOBODY

First, why don't you just use javascript to write the cookie upon
form.submit()?
You are overkilling it...

Second, why don't you just use longer httpsessions if you intend to auto
login? JSESSIONID can last way more than 60 minutes.

Third, modern browsers do have form completion. Let the user decide if he
wants or not the password to be store at all. It is not secure otherwise.
 
D

Dom

First, why don't you just use javascript to write the cookie upon
form.submit()?
You are overkilling it...
Click to expand...
Accessibility standards mean javascript cannot be used.

Second, why don't you just use longer httpsessions if you intend to auto
login? JSESSIONID can last way more than 60 minutes.
Click to expand...
Longer httpsessions is memory expensive.

Third, modern browsers do have form completion. Let the user decide if he
wants or not the password to be store at all. It is not secure otherwise.
Click to expand...
Suppose this might be a good option.


However, I'd still like to know why my sendredirect didn't work.....so
I put it back out there.....anyone, anyone, anyone?
 
N

NOBODY

Accessibility standards mean javascript cannot be used.

which standards? Have you tried to navigate without javascript lately?
Whatever. It's your app...

But again, storing password in non-encrypted ways in a cookie is unsafe.


Longer httpsessions is memory expensive.
Click to expand...

Not if you enable a httpsession manager that uses persisance, ex: a DB.
Look at tomcat doc... You'll see. Sessions could last years.

Suppose this might be a good option.


However, I'd still like to know why my sendredirect didn't work.....so
Click to expand...

j_security_check isn't just any page:
it deal with the referrer so you can get redirected to the originaly
requested page. I don't think tomcat will let you trap that service.

If you can't do it in plain servlet api (best guess is a servletfilter)
then you won't be able to do in in struts either.

I would forget strust, try with a servletfilter, grab the name/pwd, set
cookie in response and doFilterChain().
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

form based login in jboss using login-config not working 1
Bah. Struts problem. Validation -- or lack thereof. 10
Tomcat 5/Struts 1.1: Simple login form shows errors when accessed 1st time 8
Help! Form based authentication with Struts 0
Servlet Form-based Authentication From a Client Application 0
Struts Question 3
Application Controlled Authentication - Tomcat & Struts 4
Form-based authentication & Tapestry 0

Members online

Total: 25 (members: 3, guests: 22)
Robots: 354

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,020
Latest member
GenesisGai

Latest Threads

Top