ahmed yehia

Ranch Hand
+ Follow
since Apr 22, 2006
Merit badge: grant badges
For More
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by ahmed yehia

um, just by looking in the API, I found it can be done as simple as calling:

14 years ago
Not sure what it's called, but I want be able to have requests that look like:


The resource URL part doesn't exist = not a web resource, but I want to strip it and use it much as I would use a usual request parameter.
14 years ago
Thanks Mark, I also got it working using:

I got this exception trying execute (persist) the below code snippets:

Postgres tables are:
1- users (id, ...)
2- user_roles(user_id, role)
Welcome to Java Ranch!

As far as I can see the mapping should work

You have a mapping mismatch in your Servlet. You make a request for 'Select.do' where in the DD it is declared 'SelectBeer.do'
14 years ago
I have this in applicationContext-security xml file :

It works fine whether the request came through forward or redirect.

Just want to make sure these 2 approaches don't vary.

14 years ago
Spring Security logout links to 'j_spring_security_logout' by default, I want to link to logout.jsp instead.

E.g. in logout.jsp :
  • <jsp:forward page="j_spring_security_logout" />
  • <% response.sendRedirect("j_spring_security_logout"); %>
  • <% session.invalidate(); %>

  • These all seem to work identical as firing a logout action.

    However which could a be better approach.
    14 years ago
    After a user has logged in and selected 'remember me', when the user comes back to the site home page.

    I want the user to automatically redirected to their specific page.

    Using Spring Security 2.0.5

    Possibly there is a way to do this declaratively?
    14 years ago

    HTTPS is used for encrypted web traffic, not for authentication. For authentication you have BASIC, DIGEST, FORM and CERTIFICATE.

    Per my understanding, HTTPS is used to protect data in transmission, and Form based authentication
    which is widely used all across the internet, has the least security features (i.e no data encryption)
    hence web traffic is exposed to vulnerability.

    What I want to know is that if we use HTTPS for login forms, would that be sufficient to grant security, I suspect its not always the case.
    And if we don't use HTTPS, what could be alternatives to achieve that goal.

    14 years ago

    You can use authentication with or without HTTPS. The two don't really have anything to do with each other.

    What I want to know here, is that if we don't use HTTS to transmit user authentication info, then what are other options are available for use in a web app.
    Also, how much security we can obtain when using HTTS or other methods, in order to achieve a robust security system, with focus mostly on user Authentication.

    Cocoon for example.

    Thats the one I found. Authentication Framework

    this article

    Interesting! although the subject is mainly WS, its useful. Thank you.

    14 years ago

    Ulf Dittmer wrote:Using HTTPS is largely independent of using authentication. The application will need to create appropriate absolute URLs with the desired protocol, though.

    If you could please elaborate on this and how HTTPS is independent of using authentication. I have seen many popular web sites, including our Ranch that do not use HTTS in their login window, it seems interesting. What could be other options though.

    Also I have searched available security frameworks, to see if any can satisfy my mentioned requirements.
    Taking a high-level overview. Cocoon for example.

    Also folks around talk about extending the container-managed authentication and do their own; like you said.
    This might be an option to go by. But it still not a trivial matter to decide the way to go.
    14 years ago
    I am having an issue to do a custom JDBC realm secure-login authentication, which container-based implementation may not satisfy.
    But I m not very sure on the way to go.

    The application is a JSF-based web app currently configured to container(Tomcat) declarative security.

    1- login, register forms in the index page, should guarantee sufficient security in transmition.
    *index page should preferably not use HTTS* and also need to digest passwords before authenticating DB.

    2- should still use container-based implementations in other cases through out the application.

    3- maintain container-based declarative security.

    4- should handle remember me feature.
    14 years ago

    Notification that a session is about to be invalidated

    I think this can further be clarified in that session scoped attributes are still valid if called from within sessionDestroyed().
    Hence at this point the session is still valid, but about to be invalidated.
    14 years ago