It's not a secret anymore!*
The moose likes Security and the fly likes LoginFilter & j_security_check Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "LoginFilter & j_security_check" Watch "LoginFilter & j_security_check" New topic
Author

LoginFilter & j_security_check

Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
Hi,

I'm trying to use a pre login filter for the j_security_check
I want to perform an action before the j_security_check is submitted, and I thought that this is the place to do it.

When I undeploy my jar I get to the destroy method, when I redeploy it I get to the init method, and right after submitting the action (pressing the OK button in the login page) I want to get to the doFilter method - but I don't.

My LoginFilter code is:



In the web.xml I defined:

<filter id="Filter_1">
<filter-name>LoginFilter</filter-name>
<display-name>LoginFilter</display-name>
<filter-class>com.imagine.em.common.filters.LoginFilter</filter-class>
<description>Performs pre-login and post-login operation</description>
</filter>

<filter-mapping>
<filter-name>LoginFilter</filter-name>
<url-pattern>/j_security_check</url-pattern>
</filter-mapping>

<security-constraint>
<display-name>require valid user</display-name>
<web-resource-collection>
<web-resource-name>EM application</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.htm</url-pattern>
<url-pattern>*.html</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>Regular</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>EM Application</realm-name>
<form-login-config>
<form-login-page>/faces/html/common/login.jsp</form-login-page>
<form-error-page>/faces/html/common/login.jsp?failed=true</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>Regular</role-name>
</security-role>



Why don't I get to the doFilter method? I want it to be a pre login action.

Thanks a lot,
Efrat
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41050
    
  43
j_security_check is functionality that is handled internally by the servlet container. It can't be treated like it is a regular URL.


Ping & DNS - my free Android networking tools app
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
So there's no way to define filters for j_security_check?
In the IBM site it says it's possible: http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzatz/51/sec/secdform.html

Is it a mistake?

Thanks,
Efrat
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41050
    
  43
Interesting. The servlet spec does not specify whether or not this should be possible, so I guess it may be container-dependent.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

If the container is intercepting the initial (non-logged in requests) and forwarding to j_security_check, the forward will not go through the filter.
I'm not sure how containers handle this.

If you're using a Servlet Spec 2.4 compliant container, you can configure your filter to intercept server side forwards with the <dispatcher>FORWARD</dispatcher> element.

Look at SRV.6.2.5.
There is a link to the servlet spec in my signature.


If that doesn't do it, try filtering every request:
<url-pattern>/*</url-pattern>

Let us know what you find.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
The <dispatcher>FORWARD</dispatcher> doesn't help.
And when I changed the url-pattern to /* I get to the doFilter all the time, but not after j_security_check.
I figure it up, because in doFilter I do:


And I get null in both username & password.

Thanks,
Efrat
Kartik Lax
Greenhorn

Joined: Apr 23, 2006
Posts: 24
Hi Efrat

I have not gone through your code but from your web.xml, I can see that your form login page is at /faces/html/common/login.jsp so your URL pattern should be

<filter-mapping>
<filter-name>LoginFilter</filter-name>
<url-pattern>/faces/html/common/j_security_check</url-pattern>
</filter-mapping>

[Try this out, this should work. The j_security_check is actually called from this URL, I cant clearly explain this, but it'll be obvious if you remove your form error page you can see a 404 page with the URL /faces/html/common/j_security_check, you can probably undo all the code changes that you have done to correct this 'filter not getting invoked' problem]

-Hellkay
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
It doesn't help...
Even after changing the url-pattern to :
I have the same behavior.
I get to init when deploying, to destroy when undeploying the war, but I don't get to doFilter when I log in...

Any idea?

Thanks,
Efrat
Kartik Lax
Greenhorn

Joined: Apr 23, 2006
Posts: 24
Is your login functionality working correctly otherwise?
i.e. You try to access a secure resource, are you redirected to the login jsp? Are you routed to the error page if you key in invalid details?
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
Yes, both of the scenarios are handled OK.
Kartik Lax
Greenhorn

Joined: Apr 23, 2006
Posts: 24
Can you remove the value of the form-error page from your web.xml and try a login failure scenario? And check the URL in the browser for that scenario?

[it should end with j_security_check]

-Hellkay
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
In case of a failure, after removed the form-error-page I get the URL:
http://localhost:8080/EM/j_security_check

I get the same failure URL when the url-pattern is defined as:

or as


Thanks,
Efrat
Kartik Lax
Greenhorn

Joined: Apr 23, 2006
Posts: 24
Good, this should work ...



try it.
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
Still not working...
I have the same behaviour: get to the LoginFilter's destroy() when undeploying, get to the init() when deploying, but I don't get to the doFilter() when logging-in.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41050
    
  43
Hello "Kartik L"-

On your way in you may have missed that JavaRanch has a policy on display names, and yours does not comply with it; specifically, a first name and a last name are required. Please adjust it accordingly, which you can do right here. Thanks for your prompt attention to this matter.
Kartik Lax
Greenhorn

Joined: Apr 23, 2006
Posts: 24
Hi Efrat,

what is the server that you are using? I tried filters on j_security_check in Websphere and they are working fine.

I seem to find out through google that there are some problems with 'servlet filter on j_security_check' and Jboss/Tomcat,please check that out if you are using JBoss/tomcat.

but for one last try you can change the URL pattern to
<url-pattern>j_security_check</url-pattern>
dropping the /.
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
Yes, I am using Jboss/Tomcat...
Any idea how to solve the problem?

(When I'm using <url-pattern>j_security_check</url-pattern> I get a deployment exception)

Thanks,
Efrat
Kartik Lax
Greenhorn

Joined: Apr 23, 2006
Posts: 24
Efrat,

This doesn't look good
if you are using tomcat...
[ August 02, 2006: Message edited by: Kartik Lax ]
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57

Kartik, thanks a lot for you help.

I'll try to look for another solution. (Can you think of any other way to deal with the given login parameters before they are passed to the login module?)
Kartik Lax
Greenhorn

Joined: Apr 23, 2006
Posts: 24
One approach would be to have a non-secure jsp that would submit onload to the login servlet... the dofilter()'s code can be inserted in the jsp.

But this would act as a filter only for that servlet in the jsp's action parameter. And that jsp will be your application's welcome-file/login URL.
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
Ok, I might try that.
Again, thanks a lot for all your help!!

Efrat
Srikanth Shenoy
author
Ranch Hand

Joined: Jan 24, 2004
Posts: 184
The foolproof way to address this really non portable across containers.
This is because the real solution that is guaranteed to work is to customize the Security SPI implementation class for your application server provider.

The security SPI classes get the callback first after any login info is entered. This is not tough as it seems.

For instance in WebLogic, it is called SSPI (Basically a bunch of classes for authN, authZ or identity assertion (if using perimeter authentication) etc...
For websphere it is User Registry or Trust Association Interceptor (TAI) (if using perimeter authentication)
For Tomcat it is the Realm classes (I think.. cannot recall the exact name in Tomcat)


Srikanth Shenoy
Author of Struts Survival Guide : Basics to Best Practices
Kartik Lax
Greenhorn

Joined: Apr 23, 2006
Posts: 24
Hi Srikanth,

can you suggest some links where i can read more on that?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41050
    
  43
Tomcat makes it easy to extend any of the builtin Realm implementations. Then you can perform any necessary pre-/post-processing and still use the generic web authentication framework. I described and implemented such an approach in a recent JavaRanch Journal article (have a look at the "Integration with Tomcat Realms" section).
[ August 22, 2006: Message edited by: Ulf Dittmer ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: LoginFilter & j_security_check
 
Similar Threads
User filter
Need help in reporting of protected resources in web application
Problem invoking filter
how to redirect to success page in tomcat using its lapd configuration
Servlet Filter problems