Issue Details (XML | Word | Printable)

Key: JS2-229
Type: Bug Bug
Status: Resolved Resolved
Resolution: Won't Fix
Priority: Minor Minor
Assignee: Ate Douma
Reporter: Artem Grinshtein
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Jetspeed 2

Authentication without Javascript enabled

Created: 08/Apr/05 05:59 PM   Updated: 09/Apr/05 08:15 PM
Return to search
Component/s: Security
Affects Version/s: 2.0-M2
Fix Version/s: None

Time Tracking:
Not Specified

File Attachments:
  File Name Date Attached Attached By Size
Text File Licensed for inclusion in ASF works patch.txt 2005-04-08 06:05 PM Artem Grinshtein 2 kB
Environment: jdk1.4.2_06, tomcat-5.0.30, win2000pro

Resolution Date: 09/Apr/05 08:15 PM


 Description  « Hide
you can't login without Javascript enabled. HTML output of LoginServlet contains a 'invisible' form and javascript to submit it.

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Artem Grinshtein added a comment - 08/Apr/05 06:05 PM
HTML form and javascript are replaced with response.sendRedirect

Artem Grinshtein made changes - 08/Apr/05 06:05 PM
Field Original Value New Value
Attachment patch.txt [ 19561 ]
[ Permlink | « Hide ]
Ate Douma added a comment - 09/Apr/05 08:15 PM
Although I would like to be able to remove the Javascript requirement for the active Login functionality,
I wouldn't replace it with your solution because:
- It is less secure
  using a redirect with the username and password as query string parameters will make it much easier
  to hack into your account
- Some web/application servers *require* that the j_security_check action is accessed using form POST.
  It may work with the server (version) you have tested it against, but it may break on others.
  I know this for sure because I tested that out before I implemented the active Login as it is right now.

I'm sorry, but I don't think active Login can be implement (portable and secure) without requiring Javascript.
If you can't enforce that I suggest falling back to using an "old" style login form and providing only a link
to a secure page for "login" which users can click to enter their login account.

Ate Douma made changes - 09/Apr/05 08:15 PM
Status Open [ 1 ] Resolved [ 5 ]
Resolution Won't Fix [ 2 ]
Assignee Ate Douma [ adouma ]

Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators