This week's book giveaway is in the Jobs Discussion forum.
We're giving away four copies of Java Interview Guide and have Anthony DePalma on-line!
See this thread for details.
The moose likes JSP and the fly likes Form Based Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Form Based Authentication" Watch "Form Based Authentication" New topic

Form Based Authentication

Princeton Ebanks

Joined: Mar 20, 2008
Posts: 5
I have been trying to use form based authentication without much success. I have a simple web application that gives access to some resources. I start with a login page and from this page I want to forward authorized users to the resources (web page). After configuring the web.xml file, how exactly do I state which page to forward to after a successful login?

I have read quite a bit of stuff about using j_security_check, but nothing tells me how to specify where to go after a user has logged in successgully.

Anyone wiht some light?
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
You don't specify that directly. You access the page, and -upon seeing that is protected- the server will redirect to the login page, and upon suscessful login, back to the page that was first requested. So the first page to access isn't the login page, it's the main content-bearing page.
Princeton Ebanks

Joined: Mar 20, 2008
Posts: 5
Thanks, I suspected it would be so. Now, I get the first part. I have renamed made my main content page (index.jsp) and now indeed the server redirects to the login page (loginForm.jsp). I however do not go back to the original page requested when I type in my username and password correctly. I get the error page.

I am using a java db database as my credentials source. I think I have configured my server.xml file properly. The code below shows the relevant section from 'server.xml'

<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName = "org.apache.derby.jdbc.ClientDriver"

Is there anything I am missing out?
Princeton Ebanks

Joined: Mar 20, 2008
Posts: 5
Apart from the obvious spelling error in the realm definition, the issue was two-fold.

The realm had to be defined in a separate file, not the 'server.xml' file. Apache uses this file to define its own realm used to allow users to actually start the server. For your own application, you must define your realm in the 'context.xml' file of the application (in NetBeans). This may be <application_name>.xml for other IDEs (perhaps Eclipse).

Also, the jar file for the database to be used for authentication had to be placed in the apache tomcat lib folder. This doesn't sound very scalable, but understandable if you are using a custom database for your credentials data source. Using LDAP would be handy, wouldnt it?

One small problem: the permission granted is somehow tied to the browser. I had another browser window (tab) open before launcing my application. After closing my tab and relaunching, I went straight to the 'protected' page.

How do I limit the authentication to the session and NOT the application?
[ March 28, 2008: Message edited by: Princeton Ebanks ]
I agree. Here's the link:
subject: Form Based Authentication
It's not a secret anymore!