This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Any advice on the following would be greatly appreciated.
I'd like to write my own "j_security_check" servelt. Thus we may have Form-based-login, but the login page would have: < form action=myServletUrl .. > Instead of the standard < form action=j_security_check ... >
"myServlet" would validate the user/password, and if successful, would redirect the user to some fixed "welcome.html" page. The reason for this customized servlet is crazy requirements (least of them being, login done using GET instead of POST, stupid as it might sound).
My question: how would "myServlet" tell the container that login has been successful ? Because I imagine the container checks the session for some "logged in" flag , of checks the request for presence of userPrincipal. If "myServlet" can't fix this data, then the container won't know user is logged in, and will repeatedly prompt him to login... If it matters, we're using websphere 5.1.1 (j2ee 1.3).
I investigated doing something similar in WebSphere 5.1 about 18 months ago & got nowhere except closer to Asprin. WebSphere implements j_security_check using it own classes (just like all containers). After a lot of digging, I found out what the class was called (sorry, can't remember now), but couldn't figure out how to override it. If the main driving force is the need to use GET instead of POST, I wonder if it might be possible to have your designated login page point to your own servlet (using GET), then have your own servlet internally call j_security_check (i.e. mimic the POST call from the page) & let WebSpheres code do its thing verifying the username/password & setting te user to logged on in its internal registry? I haven't tried this so I don't know if it will work. I can envisage a future requirement to log a user in on the basis of more information than a username & password - just think of a standard internet bank login - and currently don't know how we'd handle this other than by some sort of a filter on the j_security_check. If you succeed in overriding the WebSphere implementation, I'd be very interested in finding out how you did it.
Joined: Nov 13, 2002
Thanks very much for your reply. I'm not optimistic about overriding websphere's j_security_check, but if I get anywhere i'll gladly share.