i have pages on my tomcat 4.0.2 server that protected with form-based authentication. i notice that, if i directly do 'http://localhost:8080/j_security_check?j_username=uid&j_password=pwd' i'll get response 'Apache Tomcat/4.0.2 - HTTP Status 400 - Invalid direct reference to form login page'. so, what should i do, so that, i can bypass the login form and go directly to the restristed page.
You either want security or you don't want security. Why do you want to bypass the security page? I'd recommend against doing this anyway, since you have placed the username and password fields on the URL, and even with encryption they can turn up in log files... There are ways to perform a login from the server side, but I'm not sure how to accomplish this in Tomcat. ie if the username and password are available on the server you can lg them in without requiring the login screen. This is useful for things like Registration pages, where you already have the username and password, but you don't want to throw them at the login screen again just so they can get security credentials - you already have all the data. Can we get more details on why you want this, maybe there is another solution. Dave
But if you have both then you actually have neither. Passing the username and password on the URL negates and security you have. But that said, once you have the username and password on the server, there should be a call you can make to explicitly authenticate the user. But I don't know what it is. I'll go have a look, but no promises. Dave
well, it's not necessary to put the username and password in the url. i can put it in a form and then post it with "POST" method. of course i can use my normal login page but, the problem is, the login page is on another server, and that server will redirect the browser, together with the username and password to another server, which handle the authentication. i found 1 way to get around it. i just create another jsp page and then use request.getParameter to get the username and password and store it in the session variable. and that, i use response.sendRedirect to redirect the browser to some restricted realm on the server and of course because of this, tomcat will redirect the normal login page. but, in the login page, i'll get the username and password from the session variable, and if theres any, i just use response.sendRedirect to redirect the login page to j_security_check, together with the username and password. if authenticated, tomcat will redirect me back to the original page... the problem is, it seem quiete messy. i hope there's a cleaner way to do this.... anyway, thanks... cheers.....
The best I could find in 5 mintes or less is from here: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html and possibly has something to do with Realm.authenticate() which may allow you to authenticate the user IF you can get access to the realm. Rather than calling j_security_check, you would write a separate login Servlet to accept the username and password, and it would also require the page you want to redirect to after authentication. myHost:8080/MyLoginServlet?username=dave&password=bites&resource=secured.jsp Dave