another way :
encrypt your and password and then send it with url.
you can do this in two way
1 - with java code in Login.java class :
this is my sample that used in a project :
public String digest(String password, String salt) {
if ((password == null) || (salt == null)) {
throw new IllegalArgumentException();
}
try {
MessageDigest digest = MessageDigest.getInstance("MD5");
int half = salt.length() / 2;
String firstSubString = salt.substring(0, half);
String secondSubString = salt.substring(half);
digest.update(firstSubString.getBytes());
digest.update(password.getBytes());
digest.update(secondSubString.getBytes());
return new String(digest.digest(), "UTF-8");
} catch (Exception e) {
throw new RuntimeException(e);
}
note that you most encrypt new user passwords too, before save in database.
2 - with javascript code in Login.tml
you can find sample javascripts for encrypt password in internet.
On Jan 22, 2008 5:14 PM, Baptiste Meurant <[EMAIL PROTECTED]>
wrote:
>
> Thanks for your response.
>
> It is the solution that I decided to use. It is perfectly working but
> without using T5 mechanisms. I was wondering if some "full T5" solution
> was
> posible.
>
> Thanks again,
>
> Baptiste.
>
>
> dalahoo wrote:
> >
> > a simple idea is to change Login.tml to submit directly to acegi filter
> :
> >
> >
> > <form method="POST" action="/j_acegi_security_check">
> >
> > <input type="text" name="j_username" />
> >
> > <input type="password" name="j_password" />
> >
> > <input type="submit" value="${message:login}"/>
> > </form>
> >
> >
> >
> >
> > On Jan 22, 2008 4:43 PM, Baptiste Meurant <[EMAIL PROTECTED]>
> > wrote:
> >
> >>
> >> Hi,
> >>
> >> Thank you for this great work. It will be really useful.
> >>
> >> I still have a question about security T5/acegi integration : the
> >> "classic" solution that you used to perform strong authentication with
> >> acegi
> >> through T5 is creating a T5 LinkImpl object. You give then parameters
> >> (login
> >> and password) to this link object to pass the request to acegi.
> >>
> >> The problem is that you are the able to see login and password in clear
> >> in
> >> your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl
> object
> >> to
> >> perform a GET (and not a POST) to server.
> >>
> >> I am very annoyed with this security hole that I have encountered on my
> >> own
> >> implementation of T5/acegi integration. I don't know any correct and
> >> elegant
> >> fix to this issue for now.
> >>
> >> Did you experiment this issue ? Do you have an idea on it ? Or maybe
> you
> >> found yet a solution to fix it ?
> >>
> >> Regards,
> >>
> >> Baptiste
> >>
> >>
> >>
> >> dalahoo wrote:
> >> >
> >> > Hi all,
> >> >
> >> > latest release of my phone book application is available now,
> >> >
> >> > In this release i used :
> >> >
> >> > - Tapestry 5.0.7 as a Web MVC framework.
> >> > - Acegi 1.0.5 as a Security System.
> >> > - Spring 2.5 as a Application framework.
> >> > - Spring JDBC for Data Access Layer.
> >> > - Hibernate 3.2.4 an alternative for Data Access Layer.
> >> > - JPA (Hibernate Implementation) another alternative for Data
> Access
> >> > Layer.
> >> > - HSQLDB 1.8.0.7 for application database.
> >> >
> >> > read more about application configuration at
> >> > http://code.google.com/p/shams/wiki/TASJHJ
> >> >
> >> > you can download source code for this release and previous releases
> >> from
> >> > http://code.google.com/p/shams/
> >> >
> >> >
> >> > --
> >> > sincerely yours
> >> > M. H. Shamsi
> >> >
> >> >
> >>
> >> --
> >> View this message in context:
> >>
> http://www.nabble.com/-T5--ANN----Tapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html
> >> Sent from the Tapestry - User mailing list archive at Nabble.com.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >
> >
> > --
> > sincerely yours
> > M. H. Shamsi
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/-T5--ANN----Tapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15019005.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
sincerely yours
M. H. Shamsi
