File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes using the j_security_check in production? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "using the j_security_check in production?" Watch "using the j_security_check in production?" New topic

using the j_security_check in production?

Dror Astricher
Ranch Hand

Joined: May 20, 2005
Posts: 31
hi there

i'm prepering myself for the SCWCD exam and trying to create a "real" website with DB, members and etc.

i used the FORM method for login and the j_security check but got some Q the made me think it over? is it really being used in production???

it looks like it gives the developer an easy way to config his security area BUT it actually take the flexibility away!!!

for example:

1. if a user wants to login (just by clicking on login) without going into a security area first. we will probably need to redirect the link to a secure area to trigger the j_security_check and then to jump back to the page. is it a right way???

2. if the user wants to go to a secure page and triggers the login page. what happens if the username and pass are correct but the role is not enough for the page he requested? he will get a 403 error page. i made an error page for the 403 error and the error goes to the error page and then continue and show the user another 403 error page(at the urlline i see that the j_security_check took it over again after the error page was executed).

$$$$ is it not easier to make everything without the j_security_check. just making one DB table with username, pass and role???

can someone tell me if the j_security_check is really used in production? or is it just an option that nobody uses???

thanks and have a great day

Marc Peabody
pie sneak

Joined: Feb 05, 2003
Posts: 4727

From what I've seen, j_security is the most common method. In fact, I think the bigger the application, the more likely it is used. In an enterprise application, the entire thing is usually a secured resource. What you described in part 1 sounds more like a website with some dynamic content.

For a dynamic website you're right, FORM-based security might not be the best option. There's also a good chance that J2EE isn't the best option either.

A good workman is known by his tools.
Vishnu Prakash
Ranch Hand

Joined: Nov 15, 2004
Posts: 1026

There's also a good chance that J2EE isn't the best option either.

Care to explain marc.

Servlet Spec 2.4/ Jsp Spec 2.0/ JSTL Spec 1.1 - JSTL Tag Documentation
I agree. Here's the link:
subject: using the j_security_check in production?
It's not a secret anymore!