Hi Janne --

Another web.xml tweak request. I'd like to see the default CMS login method changed to FORM, which is superior to Basic Auth in many ways as well as more secure.

To make this easy to implement, I have enclosed a sample LoginRedirect.jsp, which is a dummy protected page that redirects the user back to wiki.jsp after authentication. Also, I have included LoginForm.jsp, which loads a skin-specific LoginTemplate.jsp (also enclosed). Both of these work together and perform the POST to j_security_check.

Also, I think it would be good practice to include a transport guarantee of confidential so that SSL is required for authenticated users. It could be commented out if needed, but it's best to encourage good security practices.

The snippet of web.xml to implement what I've described is this:

... <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/LoginForm.jsp</form-login-page> <form-error-page>/LoginForm.jsp</form-error-page> </form-login-config> </login-config> ...

I've uploaded a ZIP file with some example files. LoginForm.jsp LoginRedirect.jsp and Logout.jsp go in webdocs/; LoginTemplate.jsp goes in webdocs/templates/skinname/. They are fairly generic and should not need (much) customization. In the ZIP bundle I've also included a "cookie checker" library I wrote and a taglib descriptor. This provides a way to force cookie usage rather than allow URL re-writing (very insecure). It's personal code and is released under the Apache license. If you don't want to use this, no problem. In the source tree, these can go in lib and and etc, respectively.

Andrew jaquith notes: this is fixed in the 2.3 branch.