[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tapestry-user
Subject:    Re: integrating T5 a login form with Spring Security?
From:       Otho <taar93 () googlemail ! com>
Date:       2009-03-28 8:39:52
Message-ID: 6347384b0903280139v381c52c3hd1fae2cef2256447 () mail ! gmail ! com
[Download RAW message or body]


Then I would guess that the programmatic authentication is your best option.
It isn't really that hard and you can build as many safeguards as you want.

But yes, it is annoying, that it isn't already built into spring security as
a possibility. It is really more than a bit geared towards servlets and
spring mvc.

2009/3/28 Borut Bolčina <borut.bolcina@gmail.com>

> Hi,
>
> the problem with this code is that you are using
> response.sendRedirect. This is not acceptable as this causes the
> username and password to be in plain text in the log files of the
> Tomcat (and Apache). And of course it must be on the HTTPS.
>
> The server-side redirect is the only way, as response.sendRedirect can
> not be done with POST, only GET.
>
> I am beginning to regret my decision to use spring security...but it
> is too late in the project.
>
> Any other ideas? Anyone?
>
> -Borut
>
>
>
> 2009/3/28 Otho <taar93@googlemail.com>:
> > My old solution which worked fine with the little glitch I described in
> my
> > last post. The problem might be in the session.invalidate();
> >
> >    @Inject
> >    private Request request;
> >
> >    @Inject
> >    private Response response;
> >
> >    @Property
> >    private String username;
> >
> >    @Property
> >    private String password;
> >
> >    @Component(id = "loginForm")
> >    private Form loginForm;
> >
> > Object onValidate.....
> >
> >  void onSuccessFromLoginForm() throws IOException
> >    {
> >        request.getSession(false).invalidate();
> >
> >        StringBuffer path = new StringBuffer(request.getContextPath())
> >                .append(Constants.J_SPRING_SECURITY_CHECK)
> >                .append("?")
> >                .append(Constants.J_USERNAME).append("=").append(username)
> >                .append("&")
> >
>  .append(Constants.J_PASSWORD).append("=").append(password);
> >        response.sendRedirect(path.toString());
> >    }
> >
> > public class Constants
> > {
> >    public static final String J_USERNAME = "j_username";
> >
> >    public static final String J_PASSWORD = "j_password";
> >
> >    public static final String J_SPRING_SECURITY_CHECK =
> > "/j_spring_security_check";
> >
> >    public static final String J_SPRING_SECURITY_LOGOUT =
> > "/j_spring_security_logout";
> > }
> >
> > 2009/3/27 Borut Bolčina <borut.bolcina@gmail.com>
> >
> >> I am using tapestry-spring-security. It works ok, but I am trying to
> >> spice up the login form with captcha if user has failed to login 5
> >> times (like google account).
> >>
> >> The form uses action="${loginCheckUrl}" method="POST" and is a regular
> >> html form (not t:form). But I need it to be t:form to put some
> >> validation logic into onValidate method and later on in onSuccess
> >> method a forward to /j_spring_security_check.
> >>
> >> But forwarding with
> >> requestDispatcher.forward(requestGlobals.getHTTPServletRequest(),
> >> requestGlobals.getHTTPServletResponse());
> >>
> >> causes an exception.
> >>
> >> There must be a solution?!
> >>
> >> -Borut
> >>
> >>
> >> 2009/3/27 Peter Lundberg <peter.lundberg@valtech.se>:
> >> > Jean Luc...
> >> >
> >> > Did you have a look at tapestry-spring-security? The repositry is at
> >> >
> >>
> http://www.localhost.nu/java/mvn/nu/localhost/tapestry/tapestry-spring-secur
> >> > ity/ but the project site seams to be down. It is rough on the edges,
> but
> >> > works well and is not to hard to understand the code.
> >> >
> >> > It would be great if this got into more mainstream somewhere so it is
> >> easy
> >> > to add robust authorization to the applications we build ­ almost all
> >> have
> >> > it and will sooner or later need the things that spring-security
> provide.
> >> >
> >> > Appfuse also has an integration you could look at if you have not done
> so
> >> > already. http://code.google.com/p/tapestry5-appfuse/
> >> >
> >> > Excuse me if this was covered already in the thread.
> >> >
> >> > Br
> >> > Peter
> >> >
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> >> For additional commands, e-mail: users-help@tapestry.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>


[prev in list] [next in list] [prev in thread] [next in thread]