• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

LoginFilter & j_security_check

 
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I'm trying to use a pre login filter for the j_security_check
I want to perform an action before the j_security_check is submitted, and I thought that this is the place to do it.

When I undeploy my jar I get to the destroy method, when I redeploy it I get to the init method, and right after submitting the action (pressing the OK button in the login page) I want to get to the doFilter method - but I don't.

My LoginFilter code is:



In the web.xml I defined:

<filter id="Filter_1">
<filter-name>LoginFilter</filter-name>
<display-name>LoginFilter</display-name>
<filter-class>com.imagine.em.common.filters.LoginFilter</filter-class>
<description>Performs pre-login and post-login operation</description>
</filter>

<filter-mapping>
<filter-name>LoginFilter</filter-name>
<url-pattern>/j_security_check</url-pattern>
</filter-mapping>

<security-constraint>
<display-name>require valid user</display-name>
<web-resource-collection>
<web-resource-name>EM application</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.htm</url-pattern>
<url-pattern>*.html</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>Regular</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>EM Application</realm-name>
<form-login-config>
<form-login-page>/faces/html/common/login.jsp</form-login-page>
<form-error-page>/faces/html/common/login.jsp?failed=true</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>Regular</role-name>
</security-role>



Why don't I get to the doFilter method? I want it to be a pre login action.

Thanks a lot,
Efrat
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
j_security_check is functionality that is handled internally by the servlet container. It can't be treated like it is a regular URL.
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So there's no way to define filters for j_security_check?
In the IBM site it says it's possible: http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzatz/51/sec/secdform.html

Is it a mistake?

Thanks,
Efrat
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Interesting. The servlet spec does not specify whether or not this should be possible, so I guess it may be container-dependent.
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If the container is intercepting the initial (non-logged in requests) and forwarding to j_security_check, the forward will not go through the filter.
I'm not sure how containers handle this.

If you're using a Servlet Spec 2.4 compliant container, you can configure your filter to intercept server side forwards with the <dispatcher>FORWARD</dispatcher> element.

Look at SRV.6.2.5.
There is a link to the servlet spec in my signature.


If that doesn't do it, try filtering every request:
<url-pattern>/*</url-pattern>

Let us know what you find.
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The <dispatcher>FORWARD</dispatcher> doesn't help.
And when I changed the url-pattern to /* I get to the doFilter all the time, but not after j_security_check.
I figure it up, because in doFilter I do:


And I get null in both username & password.

Thanks,
Efrat
 
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Efrat

I have not gone through your code but from your web.xml, I can see that your form login page is at /faces/html/common/login.jsp so your URL pattern should be

<filter-mapping>
<filter-name>LoginFilter</filter-name>
<url-pattern>/faces/html/common/j_security_check</url-pattern>
</filter-mapping>

[Try this out, this should work. The j_security_check is actually called from this URL, I cant clearly explain this, but it'll be obvious if you remove your form error page you can see a 404 page with the URL /faces/html/common/j_security_check, you can probably undo all the code changes that you have done to correct this 'filter not getting invoked' problem]

-Hellkay
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It doesn't help...
Even after changing the url-pattern to :
I have the same behavior.
I get to init when deploying, to destroy when undeploying the war, but I don't get to doFilter when I log in...

Any idea?

Thanks,
Efrat
 
Kartik Lax
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is your login functionality working correctly otherwise?
i.e. You try to access a secure resource, are you redirected to the login jsp? Are you routed to the error page if you key in invalid details?
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, both of the scenarios are handled OK.
 
Kartik Lax
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can you remove the value of the form-error page from your web.xml and try a login failure scenario? And check the URL in the browser for that scenario?

[it should end with j_security_check]

-Hellkay
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In case of a failure, after removed the form-error-page I get the URL:
http://localhost:8080/EM/j_security_check

I get the same failure URL when the url-pattern is defined as:

or as


Thanks,
Efrat
 
Kartik Lax
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Good, this should work ...



try it.
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Still not working...
I have the same behaviour: get to the LoginFilter's destroy() when undeploying, get to the init() when deploying, but I don't get to the doFilter() when logging-in.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello "Kartik L"-

On your way in you may have missed that JavaRanch has a policy on display names, and yours does not comply with it; specifically, a first name and a last name are required. Please adjust it accordingly, which you can do right here. Thanks for your prompt attention to this matter.
 
Kartik Lax
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Efrat,

what is the server that you are using? I tried filters on j_security_check in Websphere and they are working fine.

I seem to find out through google that there are some problems with 'servlet filter on j_security_check' and Jboss/Tomcat,please check that out if you are using JBoss/tomcat.

but for one last try you can change the URL pattern to
<url-pattern>j_security_check</url-pattern>
dropping the /.
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, I am using Jboss/Tomcat...
Any idea how to solve the problem?

(When I'm using <url-pattern>j_security_check</url-pattern> I get a deployment exception)

Thanks,
Efrat
 
Kartik Lax
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Efrat,

This doesn't look good
if you are using tomcat...
[ August 02, 2006: Message edited by: Kartik Lax ]
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Kartik, thanks a lot for you help.

I'll try to look for another solution. (Can you think of any other way to deal with the given login parameters before they are passed to the login module?)
 
Kartik Lax
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One approach would be to have a non-secure jsp that would submit onload to the login servlet... the dofilter()'s code can be inserted in the jsp.

But this would act as a filter only for that servlet in the jsp's action parameter. And that jsp will be your application's welcome-file/login URL.
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok, I might try that.
Again, thanks a lot for all your help!!

Efrat
 
author
Posts: 184
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The foolproof way to address this really non portable across containers.
This is because the real solution that is guaranteed to work is to customize the Security SPI implementation class for your application server provider.

The security SPI classes get the callback first after any login info is entered. This is not tough as it seems.

For instance in WebLogic, it is called SSPI (Basically a bunch of classes for authN, authZ or identity assertion (if using perimeter authentication) etc...
For websphere it is User Registry or Trust Association Interceptor (TAI) (if using perimeter authentication)
For Tomcat it is the Realm classes (I think.. cannot recall the exact name in Tomcat)
 
Kartik Lax
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Srikanth,

can you suggest some links where i can read more on that?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Tomcat makes it easy to extend any of the builtin Realm implementations. Then you can perform any necessary pre-/post-processing and still use the generic web authentication framework. I described and implemented such an approach in a recent JavaRanch Journal article (have a look at the "Integration with Tomcat Realms" section).
[ August 22, 2006: Message edited by: Ulf Dittmer ]
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic