webtier@glassfish.java.net

Re: [webtier] Cookieless form based authentication

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Wed, 31 Mar 2010 18:07:28 -0700

webtier_at_javadesktop.org wrote:
> Couldn't this be a requirement to use this form of authentication? The developer would know that this would/could be possible, and could set the action to "/j_security_check?jsessionid=${session.id}" to pass the session information along.
>
> Another idea: Why can't the session id be passed along as a hidden form input? Again, the developer would have to add a <input type="hidden" name="jsessionid" value="${session.id}" /> tag to the login form, but this is trivial. We already have to use specific names for the username and password fields, why not one more?
>
> I feel like I'm being a little bit snappy, and if I'm coming across that way, I apologize. It just seems like with this project I'm working on, every time I get a "good idea", I run into a "shortcoming" of the tool that I'm using.
>
> Am I totally off base with these thoughts? Is there something flawed with my thinking? *sigh* :^)
>

I love your idea. :)

As for appending the jsessionid to the action URL, the developer could
make this conditional, depending on whether URL rewriting was enabled
for the particular application, by querying the "application" variable
(of type ServletContext) for its effective session tracking modes (by
calling the new ServletContext#getEffectiveSessionTrackingModes that was
added in Servlet 3.0), provided the login page is of type JSP.

The hidden input field approach would work in either case.

I think it is time to rewrite or remove the following paragraph from the
Servlet spec, whose Section 13.6.3.1 ("Login Form Notes") currently reads:
 
  Form based login and URL based session tracking can be problematic to
implement.
  Form based login should be used only when sessions are being
maintained by cookies or by SSL session information.

This paragraph has been around for the longest time I think.


Jan
> -ds
> [Message sent by forum member 'digitalseraphim']
>
> http://forums.java.net/jive/thread.jspa?messageID=394636
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: webtier-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: webtier-help_at_glassfish.dev.java.net
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.