I'm using JBossPortal2.0.
This is its web.xml security part:
<security-constraint> <web-resource-collection> <web-resource-name>Authenticated</web-resource-name> <description></description> <url-pattern>/auth/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Authenticated</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>JBoss Portal</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/errorpages/wronglogin.html</form-error-page> </form-login-config> </login-config> <security-role> <role-name>Authenticated</role-name> </security-role>
<% String username = request.getParameter("username"); System.out.println("Username: " + username); String password = request.getParameter("password"); if (username != null && password != null) { String url = "j_security_check?j_username=" + username + "&j_password=" + password; String redirectUrl = response.encodeRedirectURL(url); response.sendRedirect(redirectUrl); } else { // String home = (String)request.getAttribute(CoreConstants.REQ_ATT_CONTEXT_PATH); String home = "portal"; String portalUrl = response.encodeRedirectURL(home); response.sendRedirect("/" + portalUrl); } %>
<form id="loginform" class="login" name="loginform" action="/portal/auth/enlogin" method="post"> <input type="text" name="username" title="<s:message code="username"/>" alt="<s:message code="username"/>"/><input type="password" name="password" alt="<s:message code="password"/>" title="<s:message code="password"/>"/>
But if I use GET method they get propagated.
But then my password is a part of url. :-(