Here's how I've done it -
First of all, I don't use "j_security_check" as my action, but rather
"auth/" which maps to a LoginServlet. That servlet does some other things,
but here's the relevant code. The StringUtil.encodeString(password) method
changes to cookie to be base64 encrypted. Not a very good encryption, but
better than nothing.
LoginServlet.java
=====================
String username = request.getParameter("j_username").toLowerCase();
String password = request.getParameter("j_password");
if (request.getParameter("rememberMe") != null) {
response =
RequestUtil.setCookie(response, "rememberMe", "true", false);
response =
RequestUtil.setCookie(response, "password",
StringUtil.encodeString(password),
false);
}
String req =
"j_security_check?j_username=" + RequestUtils.encodeURL(username)
+ "&j_password=" + RequestUtils.encodeURL(password);
response.sendRedirect(response.encodeRedirectURL(req));
Then I have a filter mapped to /* and it has the following code:
Cookie rememberMe = RequestUtil.getCookie(request, "rememberMe");
Cookie passCookie = RequestUtil.getCookie(request, "password");
String password =
(passCookie != null)
? URLDecoder.decode(passCookie.getValue(), "UTF-8") : null;
// <form-error-page>/login.jsp?error=true</form-error-page>
boolean authFailed =
StringUtils.equals(request.getParameter("error"), "true");
// check to see if the user is logging out, if so, remove the
// rememberMe cookie and password Cookie
if ((request.getRequestURL().indexOf("logout") != -1) || authFailed) {
if (log.isDebugEnabled()) {
log.debug("deleting rememberMe-related cookies");
}
response =
RequestUtil.deleteCookie(response,
RequestUtil.getCookie(request,
"rememberMe"));
response = RequestUtil.deleteCookie(response, passCookie);
}
if ((request.getRequestURL().indexOf("login") != -1) && !authFailed) {
// Check to see if we should automatically login the user
// container is routing user to login page, check for remember me cookie
Cookie userCookie = RequestUtil.getCookie(request, "username");
String username =
(passCookie != null)
? URLDecoder.decode(userCookie.getValue(), "UTF-8") : null;
if ((rememberMe != null) && (password != null)) {
// authenticate user without displaying login page
String route =
"j_security_check?j_username=" + username
+ "&j_password=" + StringUtil.decodeString(password);
if (log.isDebugEnabled()) {
log.debug("I remember you '" + username
+ "', attempting authentication...");
}
response.sendRedirect(response.encodeRedirectURL(route));
return;
}
}
chain.doFilter(req, resp);
This has been working great for me, but I've only tested it on Tomcat.
HTH,
Matt
> -----Original Message-----
> From: John Trollinger [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 20, 2003 1:12 PM
> To: [EMAIL PROTECTED]
> Subject: Form based security and "Remember Me"
>
>
> I seached the archive and only saw one message pertaining to this.
>
> Is anyone doing this at all? And if so how?
>
> Thanks,
>
> John
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
