Pass username and password via browser in Formbased Authentication

Hi, I am using form based Authentication in my Application. I want to know is there any way i can pass the username and password in the url so that the user need not enter it when accessing a secured resource.

Its somethink like i have 2 different applications App1 and App2 , and i am calling a secured page from App1 in App2 now as the page is secured the contaner will prompt for username and password , therefore while calling the page itself i want to give the usernme and password so that the login is carried out and secured page is seen.

Any suggestions appreciated.

What you're looking for is a single sign-on (or SSO) solution; the SecurityFaq lists several of those.

If you're certain that all your web apps will always be running on the same server, and that the server will always be Tomcat, then the Tomcat SSO valve may be for you.

No no .. i want to know how to pass username and password in the browser url when the authetication type is FORM based authentication.

Passing security credentials in the URL is a bad idea for numerous reasons; much better to use proper SSO.

While browsing i found somethink like this..... but what is g2_form i didnt get .... and also i dont no what is UserLogin,Login

Looks like a random URL to me - what's it have to do with your problem? Obviously you *can* pass in the URL whatever you choose, but that doesn't make it a good idea. FORM authentication works with POST, not GET, though - so anything you do in the URL will have no effect.

i have taken the above url from the link

http://gallery.menalto.com/node/79854

as Form based authentication has got action="j_security_check" and username field as <input id="userId" type="text" name="j_username" size="30">

and password <input type="password" name="j_password" size="30"> so anything like

http://rsnb:8080/login.jsp?j_username="test"&j_password="test" should work.....

but this is not working.

Ulf Dittmer wrote:FORM authentication works with POST, not GET, though - so anything you do in the URL will have no effect.

Thanks for your time ... one more question if i use JQuery and post the username and password using $.post then..

Let me make a distinction between "Form-based Authentication" and "Container Managed Security".

Form-based authentication is simply any system where a form is used instead of (for example) a popup dialog to collect login credentials. An application can design its own forms and its own logic to handle login and that will technically be form-based authentication. Of course, if it's like over 95% of the webapps I've seen with DIY security, it won't stand a chance against a halfway determined 10-year old. but that's another matter.

Container Managed security means literally what its name says. Container Managed Security. You don't present a login form when doing form-based Container Managed Security. The container does. It does this when it determines that the user needs to be authenticated, and it does thus by pushing the incoming URL request off to the side, running an internal login process, then resuming the original URL request (assuming the user logged in).

The Container Managed Login Form has no external URL.

The "j_security_check" URL is a postback URL. It cannot be directly invoked, it only functions when the container has posted out a login form. The container has constructed a login context before the form is presented. That context does not exist when a stand-alone URL request to j_security_check is made. That's why any attempt to explicitly login using container-managed form-based security will fail.

You can induce a container-based login by causing the user to invoke a protected URL. You cannot induce a container-based login directly. The converse, however, is also true. You cannot bypass a login on a protected URL. Which is one of my favourite ways to outwit the DIY security systems.