File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

how to control redirect of j_servlet_check

 
Ray Lim
Greenhorn
Posts: 15
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using "j_servlet_check" for authentication. After a successful login, the function redirects to the resource the user was trying to access. Is there a way to change this so I can choose where the function redirects to?
On a more general note, Should I be using j_servlet_check for authentication? Is there a better mechinism?
Also, is there a way to authenticate a person is requesting a non-protected resource. Just to log them in for profiling purposes.
FYI. I'm using Tomcat 4
[ February 06, 2002: Message edited by: Ray Lim ]
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I assume you are talking about FORM based authentication in an Application server?
(I've done it, but I usually get someone else to set it up and handle it so I'm rusty on the specifics)
The information is stored in the session, so you can get the key names to find out how it is stored and presumably change the value...
Dave
 
Ray Lim
Greenhorn
Posts: 15
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Under the session object, I couldn't find any attributes related to which protected resource I was trying to access.
For everyone, regarding the third point of logging-in a person who is not requesting a protected resource. I have found the creating my own login servlet which keeps the username and password in session works best, so far. Then when accessing a protected resource, I use the stored username/password and call "j_servlet_check" which then redirects back to the protected resource. If you want more info on this just let me know.
 
Ray Lim
Greenhorn
Posts: 15
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Under the session object, I couldn't find any attributes related to which protected resource I was trying to access. using session.getAttributeNames()
For everyone, regarding the third point of logging-in a person who is not requesting a protected resource. I have found the creating my own login servlet which keeps the username and password in session works best, so far. Then when accessing a protected resource, I use the stored username/password and call "j_servlet_check" which then redirects back to the protected resource. If you want more info on this just let me know.
 
Paul Michael
Ranch Hand
Posts: 697
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Greetings Ray! I'd like to know in detail how you did it... Could you post the codes here or email them to me? Thank you in advance!
[ February 06, 2002: Message edited by: Paul Michael Laborte ]
 
Ray Lim
Greenhorn
Posts: 15
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here ya go... I used scriptlets for the example, but I used taglibs in actual code.
login.form--------------------------------------
<html><body>
<form method="POST" action="/loginAction.do" >
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
Authenticated as:<%= request.getRemoteUser() %><br>
<% if(session.getAttribute("username") == null)
{out.println("Not Logged In");}
else
{out.println("Logged In as: " + session.getAttribute("username")+"<br><a href='/smartcafe/logout.jsp'>Logoff</a>");}
%><br>

</form>
</body></html>
loginAction servlet-----------------------------
//validate user
LDAPActor la = new LDAPActor();
String username = request.getParameter("j_username");
String password = request.getParameter("j_password");
boolean result = la.authenticate(username, password, LDAPActor.AUTH_BY_CN);

if (result){
//if principal is set then logout person
if (request.getUserPrincipal() != null)
{
session.invalidate();
session = null;
session = request.getSession(true);
}
session.setAttribute("username", username );
session.setAttribute("password", password );
//setup any additional vars
response.sendRedirect("index.jsp");
}
else
{
// invalid auth
response.sendRedirect("login.jsp");
}
web.xml-------------------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>Testing</web-resource-name>
<url-pattern>/authentication/east.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>EAST</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Testing</web-resource-name>
<url-pattern>/courses</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Students</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/loginRouter.jsp</form-login-page>
<form-error-page>/authentication/error.jsp</form-error-page>
</form-login-config>
</login-config>
loginRouter.jsp page----------------------------------
<%@ page import = "java.net.*" %>
<%
if(session.getAttribute("username") != null && session.getAttribute("password") != null && request.getUserPrincipal() == null)
{
String username = (String)session.getAttribute("username");
String password = (String)session.getAttribute("password");
response.sendRedirect("j_security_check?j_username=" + URLEncoder.encode(username) +"&j_password=" + URLEncoder.encode(password));
}

%>
--------------------------------------------------
Within the servlet, the LDAPActor is an API I wrote to talk to LDAP. The login form is an include on home, secondary, or login page[not on loginRouter.jsp]. loginRouter.jsp is used as a redirection page. After the action, the username/password are kept in session but the user has not had to access a protected resource(PR). But the first time they try to attempt access a PR then they are sent to the loginRouter.jsp. Then, the router sends an authentication call. If valid they are sent to the PR they requested.
So in essence, the code lets the user save their username/password in session till when the system actually needs it.
[ February 07, 2002: Message edited by: Ray Lim ]
[ February 07, 2002: Message edited by: Ray Lim ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic