aspose file tools*
The moose likes Servlets and the fly likes Auto Login By Username in Cookie Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Auto Login By Username in Cookie" Watch "Auto Login By Username in Cookie" New topic
Author

Auto Login By Username in Cookie

Alec Lee
Ranch Hand

Joined: Jan 28, 2004
Posts: 569
Suppose we store the authentication info in cookie so that user would be auto authenticated next time he return. But if we are using form based declarative authentication, we must explicitly access a constrained resource in order to trigger the container to return the login form.

How do we use the cookie to supply the credential to the container?
Eddy Lee Sin Ti
Ranch Hand

Joined: Oct 06, 2005
Posts: 135
You could create a Filter that checks the validity of the login credentials in client cookies before forwarding the request to the targeted resource.


SCJP, SCWCD, SCJWS, IBM 700,IBM 701, IBM 704, IBM 705, CA Clarity Technical<br /> <br /><a href="http://eddyleesinti.blogspot.com" target="_blank" rel="nofollow">http://eddyleesinti.blogspot.com</a>
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Always be careful about accepting any information from the client, even in cookies. This doesn't necessarily answer your question, but if you implemented a solution where the cookie contained just the username and no other data, users could hack other accounts by modifing the cookie sent.
Alec Lee
Ranch Hand

Joined: Jan 28, 2004
Posts: 569
Thanks for the reply. But I still have questions. When we do form-based authentication, these steps are involved normally:

1. user requests constrained resource.

2. container sees the constrained resource and returns the login form and
somehow enter a mode expecting the 'j_security_check' URL.

3. user submits the login form which looks like <form action=j_security_check> with 'j_username' and 'j_password' parameters.

The important point is in step 2, the container AUTOMATICALLY enters a mode accepting the j_security_check URL as special request for login - rather than normal URL. This step is important because if we directly submit a form with 'j_security_check' while the container is not expecting it, it is treated as a normal URL.

This comes to my problem, if I want my cookie (perhaps storing username & password) to trigger auto login, how can I cause the container to accept j_security_check to mean login attempt.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

It sounds like you're trying to bypass the form based authentication. My thoughts are: don't. If the user wants to cache the credentials in the browser then this is should be sufficient.

Other than this, you may be able to set sessions not to expire and change the cookie from a session cookie to a regular persistent cookie, but this is not something I am comfortable suggesting.

You should require users to log in, otherwise your site is not secured.

Dave
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Just as an adendum, you may want to look into other forms of authentication such as certificate based and see if this is a better fit to your requirements.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Auto Login By Username in Cookie