portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@jakarta.apache.org>
Subject [jira] Commented: (JS2-229) Authentication without Javascript enabled
Date Sat, 09 Apr 2005 11:17:16 GMT
     [ http://issues.apache.org/jira/browse/JS2-229?page=comments#action_62493 ]
     
Ate Douma commented on JS2-229:
-------------------------------

Although I would like to be able to remove the Javascript requirement for the active Login
functionality,
I wouldn't replace it with your solution because:
- It is less secure
  using a redirect with the username and password as query string parameters will make it
much easier
  to hack into your account
- Some web/application servers *require* that the j_security_check action is accessed using
form POST.
  It may work with the server (version) you have tested it against, but it may break on others.
  I know this for sure because I tested that out before I implemented the active Login as
it is right now.

I'm sorry, but I don't think active Login can be implement (portable and secure) without requiring
Javascript.
If you can't enforce that I suggest falling back to using an "old" style login form and providing
only a link
to a secure page for "login" which users can click to enter their login account. 

> Authentication without Javascript enabled
> -----------------------------------------
>
>          Key: JS2-229
>          URL: http://issues.apache.org/jira/browse/JS2-229
>      Project: Jetspeed 2
>         Type: Bug
>   Components: Security
>     Versions: 2.0-M2
>  Environment: jdk1.4.2_06, tomcat-5.0.30, win2000pro
>     Reporter: Artem Grinshtein
>     Priority: Minor
>  Attachments: patch.txt
>
> you can't login without Javascript enabled. HTML output of LoginServlet contains a 'invisible'
form and javascript to submit it.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message