Jan Luehe wrote:
> webtier_at_javadesktop.org wrote:
>> Couldn't this be a requirement to use this form of authentication?
>> The developer would know that this would/could be possible, and could
>> set the action to "/j_security_check?jsessionid=${session.id}" to
>> pass the session information along.
>> Another idea: Why can't the session id be passed along as a hidden
>> form input? Again, the developer would have to add a <input
>> type="hidden" name="jsessionid" value="${session.id}" /> tag to the
>> login form, but this is trivial. We already have to use specific
>> names for the username and password fields, why not one more?
>>
>> I feel like I'm being a little bit snappy, and if I'm coming across
>> that way, I apologize. It just seems like with this project I'm
>> working on, every time I get a "good idea", I run into a
>> "shortcoming" of the tool that I'm using.
>>
>> Am I totally off base with these thoughts? Is there something flawed
>> with my thinking? *sigh* :^)
>>
>
> I love your idea. :)
>
> As for appending the jsessionid to the action URL, the developer could
> make this conditional, depending on whether URL rewriting was enabled
> for the particular application, by querying the "application" variable
> (of type ServletContext) for its effective session tracking modes (by
> calling the new ServletContext#getEffectiveSessionTrackingModes that
> was added in Servlet 3.0), provided the login page is of type JSP.
If you appended the session id to the login form's j_security_check
action URL, then no changes to the container would be required, right?
Have you tried it?
Thanks,
Jan
>
> The hidden input field approach would work in either case.
>
> I think it is time to rewrite or remove the following paragraph from
> the Servlet spec, whose Section 13.6.3.1 ("Login Form Notes")
> currently reads:
>
> Form based login and URL based session tracking can be problematic to
> implement.
> Form based login should be used only when sessions are being
> maintained by cookies or by SSL session information.
>
> This paragraph has been around for the longest time I think.
>
>
> Jan
>> -ds
>> [Message sent by forum member 'digitalseraphim']
>>
>> http://forums.java.net/jive/thread.jspa?messageID=394636
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: webtier-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: webtier-help_at_glassfish.dev.java.net
>>
>