It's not a secret anymore!
The moose likes Security and the fly likes Web security: override Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Web security: override "j_security_check" ?" Watch "Web security: override "j_security_check" ?" New topic

Web security: override "j_security_check" ?

Sol Mayer-Orn
Ranch Hand

Joined: Nov 13, 2002
Posts: 311

Any advice on the following would be greatly appreciated.

I'd like to write my own "j_security_check" servelt. Thus we may have Form-based-login, but the login page would have:
< form action=myServletUrl .. >
Instead of the standard
< form action=j_security_check ... >

"myServlet" would validate the user/password, and if successful, would redirect the user to some fixed "welcome.html" page.
The reason for this customized servlet is crazy requirements (least of them being, login done using GET instead of POST, stupid as it might sound).

My question: how would "myServlet" tell the container that login has been successful ? Because I imagine the container checks the session for some "logged in" flag , of checks the request for presence of userPrincipal. If "myServlet" can't fix this data, then the container won't know user is logged in, and will repeatedly prompt him to login...
If it matters, we're using websphere 5.1.1 (j2ee 1.3).

Thanks a lot
louise rochford
Ranch Hand

Joined: Apr 04, 2002
Posts: 119
I investigated doing something similar in WebSphere 5.1 about 18 months ago & got nowhere except closer to Asprin. WebSphere implements j_security_check using it own classes (just like all containers). After a lot of digging, I found out what the class was called (sorry, can't remember now), but couldn't figure out how to override it.
If the main driving force is the need to use GET instead of POST, I wonder if it might be possible to have your designated login page point to your own servlet (using GET), then have your own servlet internally call j_security_check (i.e. mimic the POST call from the page) & let WebSpheres code do its thing verifying the username/password & setting te user to logged on in its internal registry?
I haven't tried this so I don't know if it will work. I can envisage a future requirement to log a user in on the basis of more information than a username & password - just think of a standard internet bank login - and currently don't know how we'd handle this other than by some sort of a filter on the j_security_check. If you succeed in overriding the WebSphere implementation, I'd be very interested in finding out how you did it.

Sol Mayer-Orn
Ranch Hand

Joined: Nov 13, 2002
Posts: 311
Thanks very much for your reply.
I'm not optimistic about overriding websphere's j_security_check, but if I get anywhere i'll gladly share.
I agree. Here's the link:
subject: Web security: override "j_security_check" ?
It's not a secret anymore!