|

»

login via url parameters

View: New views

5 Messages — Rating Filter: Alert me

	login via url parameters by Kinicky :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message hi everyone, is it possible to login in JSPWiki by passing the parameters in URL? i'm tried this: http:// <server>/JSPWiki/Login.jsp?j_username=<username>&j_password=<password> tks!
	Re: login via url parameters by Andrew Jaquith-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message This is a very bad idea. Among other things, the GET is likely to be logged, which means the user's password will be exposed and recorded. What are you trying to do? Andrew On May 25, 2009, at 9:19, Kinicky <kinicky@...> wrote: > hi everyone, > > is it possible to login in JSPWiki by passing the parameters in URL? > > i'm tried this: http:// > <server>/JSPWiki/Login.jsp?j_username=<username>&j_password=<password> > > tks!
	Re: login via url parameters by Kinicky :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message yes i know about this security issue. i'm trying to implement SSO with another system and this other system asks for the parameters. i can use post to do the SSO but i didnt succeed so i'm just trying the GET method now because is more clear and easy to test. On Mon, May 25, 2009 at 10:24 AM, Andrew Jaquith <andrew.r.jaquith@... > wrote: > This is a very bad idea. Among other things, the GET is likely to be > logged, which means the user's password will be exposed and recorded. > > What are you trying to do? > > Andrew > > > On May 25, 2009, at 9:19, Kinicky <kinicky@...> wrote: > > hi everyone, >> >> is it possible to login in JSPWiki by passing the parameters in URL? >> >> i'm tried this: http:// >> <server>/JSPWiki/Login.jsp?j_username=<username>&j_password=<password> >> >> tks! >> >
	Re: login via url parameters by Alexey Kakunin-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message One of the implementation for SSO is donewith storing some security token in cookies. Like: 1. Login is done in System1, System1 generated some security token and placed it into cookies 2. User navigated to System2 (JspWiki in our case) - security filter in System2 analized security token in cookies, and perform (if it is possible) login with using information in this security token Spring-Security (for example) has algorithms for SSO implemented. I'm afraid JspWiki has no SSO implemented out-of-box - but, I may be wrong 2009/5/25 Kinicky <kinicky@...> > yes i know about this security issue. > > i'm trying to implement SSO with another system and this other system asks > for the parameters. i can use post to do the SSO but i didnt succeed so i'm > just trying the GET method now because is more clear and easy to test. > > On Mon, May 25, 2009 at 10:24 AM, Andrew Jaquith < > andrew.r.jaquith@... > > wrote: > > > This is a very bad idea. Among other things, the GET is likely to be > > logged, which means the user's password will be exposed and recorded. > > > > What are you trying to do? > > > > Andrew > > > > > > On May 25, 2009, at 9:19, Kinicky <kinicky@...> wrote: > > > > hi everyone, > >> > >> is it possible to login in JSPWiki by passing the parameters in URL? > >> > >> i'm tried this: http:// > >> <server>/JSPWiki/Login.jsp?j_username=<username>&j_password=<password> > >> > >> tks! > >> > > > -- With Best Regards, Alexey Kakunin, EmDev Limited Professional Software Development: http://www.emdev.ru
	Re: login via url parameters by Brian Burch :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Alexey Kakunin wrote: > One of the implementation for SSO is donewith storing some security token in > cookies. > Like: > 1. Login is done in System1, System1 generated some security token and > placed it into cookies > 2. User navigated to System2 (JspWiki in our case) - security filter in > System2 analized security token in cookies, and perform (if it is possible) > login with using information in this security token > > Spring-Security (for example) has algorithms for SSO implemented. > > I'm afraid JspWiki has no SSO implemented out-of-box - but, I may be wrong As far as I can tell from my own experience, jspWiki ships with a web.xml that defines certain urls as protected resources within an "authenticated area". When you go to one of those pages, e.g. Upload.jsp, the webapp container (tomcat in my case) intercepts the request and executes LoginForm.jsp according to the <login-config>. *IF* (like me) you want to use the standard tomcat single signon valve, then your login code MUST POST to j_security_check the j_username and j_password fields provided by the user. If acceptable within the security realm of the container, then the security valve redirects to the original protected url. The tomcat SSO valve does use a browser cookie to recognise a request for a protected resource within the same, or a different container. If you trash your cookies, SSO doesn't remember you. So, I conclude that if you are using tomcat and the standard SSO valve, whatever code you have that knows the userid and password MUST POST j_username and j_password to a url of "j_security_check" to get authenticated. However, if that POST hasn't been triggered by <login-config> intercepting the protected resource, I don't know how you will achieve the automatic redirect back to your desired page. I guess you need to look at the tomcat source for j_security_check. Good luck! Brian