Storing j_username and j_password in loginRequest.jsp - Weblogic

This is a discussion on Storing j_username and j_password in loginRequest.jsp - Weblogic ; I have to perform a single sign on to two different applications. I though= t I could capture the username and password information in the loginReqest. js = p form by saving the j_username and j_password to hidden fields in ...

+ Reply to Thread
Results 1 to 6 of 6

Storing j_username and j_password in loginRequest.jsp

  1. Default Storing j_username and j_password in loginRequest.jsp

    I have to perform a single sign on to two different applications. I though=
    t
    I could capture the username and password information in the loginReqest.js=
    p
    form by saving the j_username and j_password to hidden fields in the form
    and store the information in the formSubmit javascript function.
    Well... it didn't work. Once I get to the loginSuccess.jsp page, the
    request.getParameter("userName") and request.getParameter("userPass") bot=
    h
    return null.
    What do I do to beable to authenticate both systems with a single signon?
    (or) How do I retain the username and password information that I entered i=
    n
    the loginRequest form.

    Thanks,

    Ken Lee
    klee@westerngas.com





  2. Default Re: Storing j_username and j_password in loginRequest.jsp

    Though it is prohibited by the servlet specs, a workaround is possible and =
    i
    have implemented it.
    What u do is have a unsecured page send a servlet a login/password to it an=
    d
    u process it the way u want. The final step before leaving the servlet woul=
    d
    be to send a

    response.sendRedirect(encodedSecurityURL);
    where
    encodedSecurityURL =3D "/j_security_check?j_username=3D"
    +req.getParameter("j_username") +
    "&j_password=3D" +req.getParameter("j_password")+ "&j_target_url=3D"
    +encodedURL;
    j_target_url =3D URL of the secured/unsecured resource one wants to access
    after authenticatin thru weblogic

    Sending a forward doesnt work..but the redirect works...

    Tapan

    "Kenneth Lee" <klee@westerngas.com> wrote in message
    news:3ba12747@newsgroups.bea.com...
    > I have to perform a single sign on to two different applications. I

    thought
    > I could capture the username and password information in the

    loginReqest.jsp
    > form by saving the j_username and j_password to hidden fields in the form
    > and store the information in the formSubmit javascript function.
    > Well... it didn't work. Once I get to the loginSuccess.jsp page, the
    > request.getParameter("userName") and request.getParameter("userPass")

    both
    > return null.
    > What do I do to beable to authenticate both systems with a single signon?
    > (or) How do I retain the username and password information that I entered

    in
    > the loginRequest form.
    >
    > Thanks,
    >
    > Ken Lee
    > klee@westerngas.com
    >
    >
    >





  3. Default Re: Storing j_username and j_password in loginRequest.jsp

    However, this workaround (at least as posted) sends credentials in the URL
    which is not advisable. GET requests are logged as such in the web server's
    log and thus are available to anyone reading them later. Even if the number
    of those people is limited, passwords should not be persisted in log files.

    "Tapan" <tkamdar@dontEmailMeHere.com> wrote in message
    news:3ba21a1e@newsgroups.bea.com...
    > Though it is prohibited by the servlet specs, a workaround is possible an=

    d
    i
    > have implemented it.
    > What u do is have a unsecured page send a servlet a login/password to it

    and
    > u process it the way u want. The final step before leaving the servlet

    would
    > be to send a
    >
    > response.sendRedirect(encodedSecurityURL);
    > where
    > encodedSecurityURL =3D "/j_security_check?j_username=3D"
    > +req.getParameter("j_username") +
    > "&j_password=3D" +req.getParameter("j_password")+ "&j_target_url=3D"
    > +encodedURL;
    > j_target_url =3D URL of the secured/unsecured resource one wants to acces=

    s
    > after authenticatin thru weblogic
    >
    > Sending a forward doesnt work..but the redirect works...
    >
    > Tapan
    >
    > "Kenneth Lee" <klee@westerngas.com> wrote in message
    > news:3ba12747@newsgroups.bea.com...
    > > I have to perform a single sign on to two different applications. I

    > thought
    > > I could capture the username and password information in the

    > loginReqest.jsp
    > > form by saving the j_username and j_password to hidden fields in the

    form
    > > and store the information in the formSubmit javascript function.
    > > Well... it didn't work. Once I get to the loginSuccess.jsp page, the
    > > request.getParameter("userName") and request.getParameter("userPass")

    > both
    > > return null.
    > > What do I do to beable to authenticate both systems with a single

    signon?
    > > (or) How do I retain the username and password information that I

    entered
    > in
    > > the loginRequest form.
    > >
    > > Thanks,
    > >
    > > Ken Lee
    > > klee@westerngas.com
    > >
    > >
    > >

    >
    >





  4. Default Re: Storing j_username and j_password in loginRequest.jsp

    interesting observation Alf....is there any way this can be taken care of?
    Tapan

    <Alf> wrote in message news:3ba225f3@newsgroups.bea.com...
    > However, this workaround (at least as posted) sends credentials in the UR=

    L
    > which is not advisable. GET requests are logged as such in the web

    server's
    > log and thus are available to anyone reading them later. Even if the

    number
    > of those people is limited, passwords should not be persisted in log

    files.
    >
    > "Tapan" <tkamdar@dontEmailMeHere.com> wrote in message
    > news:3ba21a1e@newsgroups.bea.com...
    > > Though it is prohibited by the servlet specs, a workaround is possible

    and
    > i
    > > have implemented it.
    > > What u do is have a unsecured page send a servlet a login/password to i=

    t
    > and
    > > u process it the way u want. The final step before leaving the servlet

    > would
    > > be to send a
    > >
    > > response.sendRedirect(encodedSecurityURL);
    > > where
    > > encodedSecurityURL =3D "/j_security_check?j_username=3D"
    > > +req.getParameter("j_username") +
    > > "&j_password=3D" +req.getParameter("j_password")+ "&j_target_url=3D"
    > > +encodedURL;
    > > j_target_url =3D URL of the secured/unsecured resource one wants to acc=

    ess
    > > after authenticatin thru weblogic
    > >
    > > Sending a forward doesnt work..but the redirect works...
    > >
    > > Tapan
    > >
    > > "Kenneth Lee" <klee@westerngas.com> wrote in message
    > > news:3ba12747@newsgroups.bea.com...
    > > > I have to perform a single sign on to two different applications. I

    > > thought
    > > > I could capture the username and password information in the

    > > loginReqest.jsp
    > > > form by saving the j_username and j_password to hidden fields in the

    > form
    > > > and store the information in the formSubmit javascript function.
    > > > Well... it didn't work. Once I get to the loginSuccess.jsp page, the
    > > > request.getParameter("userName") and request.getParameter("userPass"=

    )
    > > both
    > > > return null.
    > > > What do I do to beable to authenticate both systems with a single

    > signon?
    > > > (or) How do I retain the username and password information that I

    > entered
    > > in
    > > > the loginRequest form.
    > > >
    > > > Thanks,
    > > >
    > > > Ken Lee
    > > > klee@westerngas.com
    > > >
    > > >
    > > >

    > >
    > >

    >
    >





  5. Default Re: Storing j_username and j_password in loginRequest.jsp

    Use POST for forms as suggested. Web servers don't normally log the body of
    the requests (and POST puts the parameters in the body).

    "Tapan" <tkamdar@dontEmailMeHere.com> wrote in message
    news:3ba22918$2@newsgroups.bea.com...
    > interesting observation Alf....is there any way this can be taken care of=

    ?
    > Tapan
    >
    > <Alf> wrote in message news:3ba225f3@newsgroups.bea.com...
    > > However, this workaround (at least as posted) sends credentials in the

    URL
    > > which is not advisable. GET requests are logged as such in the web

    > server's
    > > log and thus are available to anyone reading them later. Even if the

    > number
    > > of those people is limited, passwords should not be persisted in log

    > files.
    > >
    > > "Tapan" <tkamdar@dontEmailMeHere.com> wrote in message
    > > news:3ba21a1e@newsgroups.bea.com...
    > > > Though it is prohibited by the servlet specs, a workaround is possibl=

    e
    > and
    > > i
    > > > have implemented it.
    > > > What u do is have a unsecured page send a servlet a login/password to

    it
    > > and
    > > > u process it the way u want. The final step before leaving the servle=

    t
    > > would
    > > > be to send a
    > > >
    > > > response.sendRedirect(encodedSecurityURL);
    > > > where
    > > > encodedSecurityURL =3D "/j_security_check?j_username=3D"
    > > > +req.getParameter("j_username") +
    > > > "&j_password=3D" +req.getParameter("j_password")+ "&j_target_url=3D"
    > > > +encodedURL;
    > > > j_target_url =3D URL of the secured/unsecured resource one wants to

    access
    > > > after authenticatin thru weblogic
    > > >
    > > > Sending a forward doesnt work..but the redirect works...
    > > >
    > > > Tapan
    > > >
    > > > "Kenneth Lee" <klee@westerngas.com> wrote in message
    > > > news:3ba12747@newsgroups.bea.com...
    > > > > I have to perform a single sign on to two different applications. =

    I
    > > > thought
    > > > > I could capture the username and password information in the
    > > > loginReqest.jsp
    > > > > form by saving the j_username and j_password to hidden fields in th=

    e
    > > form
    > > > > and store the information in the formSubmit javascript function.
    > > > > Well... it didn't work. Once I get to the loginSuccess.jsp page,

    the
    > > > > request.getParameter("userName") and

    request.getParameter("userPass")
    > > > both
    > > > > return null.
    > > > > What do I do to beable to authenticate both systems with a single

    > > signon?
    > > > > (or) How do I retain the username and password information that I

    > > entered
    > > > in
    > > > > the loginRequest form.
    > > > >
    > > > > Thanks,
    > > > >
    > > > > Ken Lee
    > > > > klee@westerngas.com
    > > > >
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >





  6. Default Re: Storing j_username and j_password in loginRequest.jsp

    Hey ,
    When i forward a request from inside a servlet to the j_security_check, it
    performs a GET always.
    Is there some way in which u can modify the header of the request and ask i=
    t
    to perform a POST instead of a GET . I tried response.setHeader("method",
    "POST"); but it doesnt work...
    Help..
    Tapan


    <Alf> wrote in message news:3ba60701$2@newsgroups.bea.com...
    > Use POST for forms as suggested. Web servers don't normally log the body

    of
    > the requests (and POST puts the parameters in the body).
    >
    > "Tapan" <tkamdar@dontEmailMeHere.com> wrote in message
    > news:3ba22918$2@newsgroups.bea.com...
    > > interesting observation Alf....is there any way this can be taken care

    of?
    > > Tapan
    > >
    > > <Alf> wrote in message news:3ba225f3@newsgroups.bea.com...
    > > > However, this workaround (at least as posted) sends credentials in th=

    e
    > URL
    > > > which is not advisable. GET requests are logged as such in the web

    > > server's
    > > > log and thus are available to anyone reading them later. Even if the

    > > number
    > > > of those people is limited, passwords should not be persisted in log

    > > files.
    > > >
    > > > "Tapan" <tkamdar@dontEmailMeHere.com> wrote in message
    > > > news:3ba21a1e@newsgroups.bea.com...
    > > > > Though it is prohibited by the servlet specs, a workaround is

    possible
    > > and
    > > > i
    > > > > have implemented it.
    > > > > What u do is have a unsecured page send a servlet a login/password

    to
    > it
    > > > and
    > > > > u process it the way u want. The final step before leaving the

    servlet
    > > > would
    > > > > be to send a
    > > > >
    > > > > response.sendRedirect(encodedSecurityURL);
    > > > > where
    > > > > encodedSecurityURL =3D "/j_security_check?j_username=3D"
    > > > > +req.getParameter("j_username") +
    > > > > "&j_password=3D" +req.getParameter("j_password")+ "&j_target_url=3D=

    "
    > > > > +encodedURL;
    > > > > j_target_url =3D URL of the secured/unsecured resource one wants to

    > access
    > > > > after authenticatin thru weblogic
    > > > >
    > > > > Sending a forward doesnt work..but the redirect works...
    > > > >
    > > > > Tapan
    > > > >
    > > > > "Kenneth Lee" <klee@westerngas.com> wrote in message
    > > > > news:3ba12747@newsgroups.bea.com...
    > > > > > I have to perform a single sign on to two different applications.

    I
    > > > > thought
    > > > > > I could capture the username and password information in the
    > > > > loginReqest.jsp
    > > > > > form by saving the j_username and j_password to hidden fields in

    the
    > > > form
    > > > > > and store the information in the formSubmit javascript function.
    > > > > > Well... it didn't work. Once I get to the loginSuccess.jsp page,

    > the
    > > > > > request.getParameter("userName") and

    > request.getParameter("userPass")
    > > > > both
    > > > > > return null.
    > > > > > What do I do to beable to authenticate both systems with a single
    > > > signon?
    > > > > > (or) How do I retain the username and password information that I
    > > > entered
    > > > > in
    > > > > > the loginRequest form.
    > > > > >
    > > > > > Thanks,
    > > > > >
    > > > > > Ken Lee
    > > > > > klee@westerngas.com
    > > > > >
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >





+ Reply to Thread