Suppose we store the authentication info in cookie so that user would be auto authenticated next time he return. But if we are using form based declarative authentication, we must explicitly access a constrained resource in order to trigger the container to return the login form.
How do we use the cookie to supply the credential to the container?
Eddy Lee Sin Ti
Joined: Oct 06, 2005
You could create a Filter that checks the validity of the login credentials in client cookies before forwarding the request to the targeted resource.
SCJP, SCWCD, SCJWS, IBM 700,IBM 701, IBM 704, IBM 705, CA Clarity Technical<br /> <br /><a href="http://eddyleesinti.blogspot.com" target="_blank" rel="nofollow">http://eddyleesinti.blogspot.com</a>
Always be careful about accepting any information from the client, even in cookies. This doesn't necessarily answer your question, but if you implemented a solution where the cookie contained just the username and no other data, users could hack other accounts by modifing the cookie sent.
Joined: Jan 28, 2004
Thanks for the reply. But I still have questions. When we do form-based authentication, these steps are involved normally:
1. user requests constrained resource.
2. container sees the constrained resource and returns the login form and somehow enter a mode expecting the 'j_security_check' URL.
3. user submits the login form which looks like <form action=j_security_check> with 'j_username' and 'j_password' parameters.
The important point is in step 2, the container AUTOMATICALLY enters a mode accepting the j_security_check URL as special request for login - rather than normal URL. This step is important because if we directly submit a form with 'j_security_check' while the container is not expecting it, it is treated as a normal URL.
This comes to my problem, if I want my cookie (perhaps storing username & password) to trigger auto login, how can I cause the container to accept j_security_check to mean login attempt.