[jboss-user] [JBoss Seam] - Login Best Practices
do-not-reply at jboss.com
Sat Apr 21 11:10:09 EDT 2007
I was wondering if there a good Wiki page covering best practices for Login security for web apps?
One specific question I have is with regards to a login form on the home page (non-secure) that submits to the login action. Because I cannot specify a scheme with JSF/JBoss seam in the h:form tag, I cannot force it to submit to an https URL.
The best I can do is use the pages.xml to require HTTPS, but that results in one non-secure request then a redirect to the secure request. So its pointless in this case.
I reviewed a JIRA (http://jira.jboss.com/jira/browse/JBSEAM-741) where this was talked about and it appears that for now the Seam team is holding off supporting a scheme attribute in the link/form tags.
It has me thinking there is a security concern with doing this sort of thing (submitting a non-secure form to a secure URL) and that perhaps I should just avoid having the convenient login box on the home page.
Any feedback is very much appreciated.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4039550#4039550
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4039550
More information about the jboss-user