TitleCMS Form-Based Authentication
Date17-Nov-2004 06:25:20 EET
Version2.1.121-CVS
SubmitterAndrewJaquith
PageProvider usedN/A
CriticalityEnhancementRequest
Servlet ContainerTomcat 5.0.19
Browser versionSafari
URLN/A
StatusClosedBugs
Java version1.4.2_05-b04

Hi Janne --

Another web.xml tweak request. I'd like to see the default CMS login method changed to FORM, which is superior to Basic Auth in many ways as well as more secure.

To make this easy to implement, I have enclosed a sample LoginRedirect.jsp, which is a dummy protected page that redirects the user back to wiki.jsp after authentication. Also, I have included LoginForm.jsp, which loads a skin-specific LoginTemplate.jsp (also enclosed). Both of these work together and perform the POST to j_security_check.

Also, I think it would be good practice to include a transport guarantee of confidential so that SSL is required for authenticated users. It could be commented out if needed, but it's best to encourage good security practices.

The snippet of web.xml to implement what I've described is this:

... <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/LoginForm.jsp</form-login-page> <form-error-page>/LoginForm.jsp</form-error-page> </form-login-config> </login-config> ...

I've uploaded a ZIP file with some example files. LoginForm.jsp LoginRedirect.jsp and Logout.jsp go in webdocs/; LoginTemplate.jsp goes in webdocs/templates/skinname/. They are fairly generic and should not need (much) customization. In the ZIP bundle I've also included a "cookie checker" library I wrote and a taglib descriptor. This provides a way to force cookie usage rather than allow URL re-writing (very insecure). It's personal code and is released under the Apache license. If you don't want to use this, no problem. In the source tree, these can go in lib and and etc, respectively.

Andrew jaquith notes: this is fixed in the 2.3 branch.

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
jsp
CookieErrorTemplate.jsp 2.6 kB 1 17-Nov-2004 08:09 AndrewJaquith
zip
formauth.zip 9.8 kB 1 17-Nov-2004 06:25 AndrewJaquith
« This page (revision-4) was last changed on 23-Aug-2006 10:08 by Janne Jalkanen