[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [lyo-dev] Reuse HttpClient session in Browser
|
Nils,
I would caution against this since the password can appear plaintext in the address bar, error pages, and history. Also depending on the server's logging settings, it could get put in a server log. The extra login is annoying, but I'm not sure it's worth the risk.
One approach you might consider is to use OAuth. As part of the OAuth flow, you show a browser window for the user to login. This OAuth login actually establishes a session with RTC, so I don't think the user will have to login again when you show the preview.
--
Samuel Padgett | IBM Rational | spadgett@xxxxxxxxxx
![Inactive hide details for Nils Kronqvist ---05/13/2013 03:06:02 PM---On 13 maj 2013, at 19:53, Michael Fiedler <fiedler.mf@gmai]()
Nils Kronqvist ---05/13/2013 03:06:02 PM---On 13 maj 2013, at 19:53, Michael Fiedler <fiedler.mf@xxxxxxxxx> wrote: > I don't believe this can b
![]()
| ![]()
Nils Kronqvist <nissekronqvist@xxxxxxxxxxx> |
![]()
| ![]()
Lyo project developer discussions <lyo-dev@xxxxxxxxxxx> |
![]()
| ![]()
05/13/2013 03:06 PM |
![]()
| ![]()
Re: [lyo-dev] Reuse HttpClient session in Browser |
![]()
| ![]()
lyo-dev-bounces@xxxxxxxxxxx |
On 13 maj 2013, at 19:53, Michael Fiedler <fiedler.mf@xxxxxxxxx> wrote:
I don't believe this can be done (someone correct me if I'm wrong here). RTC relies on session-specific information (cookies like JSESSIONID) to tell if you are authenticated. Since the browser would have its own session, there's no way to "share" your existing JazzFormAuthClient's authentication. The form auth code does do exactly what you did to login by hitting the j_security_check URL. It follows some redirects to get there and picks up some cookies on the way. So, that is not an incorrect way to do it.
[Nils] OK, thanks. I guess my main issue is the showing of the pw in plaintext in the error message.
Are you able to hit the login URL and then send the SWT Browser to the real url you want?
[Nils] Yes, that is working.
Regards,
Mike
On Wed, May 8, 2013 at 12:14 AM, Nils Kronqvist <nissekronqvist@xxxxxxxxxxx> wrote:
Hi,
I'm using the JazzFormAuthClient (i.e. according to the RTCFormClient sample) to access ChangeRequests, and would like to open a SWT Browser on a preview url *without* having to authenticate again for the Browser. I found I could login by passing https://myserver:9443/ccm/j_security_check?j_username=myname&j_password=mypassword for the Browser, but not sure if this is the right way to do it. Besides, I get a warning that the security certificate of the server is not valid on 1:st call (reason not related to this, but still ..) -- and then showing the url with the pw ...
Also tried other ideas found on the net, but no luck so far. Any pointers ..?
Rgs,
/Nils K
_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/lyo-dev
_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/lyo-dev
_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/lyo-dev
