File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes how to control redirect of j_servlet_check Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "how to control redirect of j_servlet_check" Watch "how to control redirect of j_servlet_check" New topic
Author

how to control redirect of j_servlet_check

Ray Lim
Greenhorn

Joined: Jan 10, 2002
Posts: 15
I am using "j_servlet_check" for authentication. After a successful login, the function redirects to the resource the user was trying to access. Is there a way to change this so I can choose where the function redirects to?
On a more general note, Should I be using j_servlet_check for authentication? Is there a better mechinism?
Also, is there a way to authenticate a person is requesting a non-protected resource. Just to log them in for profiling purposes.
FYI. I'm using Tomcat 4
[ February 06, 2002: Message edited by: Ray Lim ]
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

I assume you are talking about FORM based authentication in an Application server?
(I've done it, but I usually get someone else to set it up and handle it so I'm rusty on the specifics)
The information is stored in the session, so you can get the key names to find out how it is stored and presumably change the value...
Dave
Ray Lim
Greenhorn

Joined: Jan 10, 2002
Posts: 15
Under the session object, I couldn't find any attributes related to which protected resource I was trying to access.
For everyone, regarding the third point of logging-in a person who is not requesting a protected resource. I have found the creating my own login servlet which keeps the username and password in session works best, so far. Then when accessing a protected resource, I use the stored username/password and call "j_servlet_check" which then redirects back to the protected resource. If you want more info on this just let me know.
Ray Lim
Greenhorn

Joined: Jan 10, 2002
Posts: 15
Under the session object, I couldn't find any attributes related to which protected resource I was trying to access. using session.getAttributeNames()
For everyone, regarding the third point of logging-in a person who is not requesting a protected resource. I have found the creating my own login servlet which keeps the username and password in session works best, so far. Then when accessing a protected resource, I use the stored username/password and call "j_servlet_check" which then redirects back to the protected resource. If you want more info on this just let me know.
Paul Michael
Ranch Hand

Joined: Jul 02, 2001
Posts: 697
Greetings Ray! I'd like to know in detail how you did it... Could you post the codes here or email them to me? Thank you in advance!
[ February 06, 2002: Message edited by: Paul Michael Laborte ]

SCJP 1.2 (89%), SCWCD 1.3 (94%), IBM 486 (90%), SCJA Beta (96%), SCEA (91% / 77%), SCEA 5 P1 (77%), SCBCD 5 (85%)
Ray Lim
Greenhorn

Joined: Jan 10, 2002
Posts: 15
Here ya go... I used scriptlets for the example, but I used taglibs in actual code.
login.form--------------------------------------
<html><body>
<form method="POST" action="/loginAction.do" >
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
Authenticated as:<%= request.getRemoteUser() %><br>
<% if(session.getAttribute("username") == null)
{out.println("Not Logged In");}
else
{out.println("Logged In as: " + session.getAttribute("username")+"<br><a href='/smartcafe/logout.jsp'>Logoff</a>");}
%><br>

</form>
</body></html>
loginAction servlet-----------------------------
//validate user
LDAPActor la = new LDAPActor();
String username = request.getParameter("j_username");
String password = request.getParameter("j_password");
boolean result = la.authenticate(username, password, LDAPActor.AUTH_BY_CN);

if (result){
//if principal is set then logout person
if (request.getUserPrincipal() != null)
{
session.invalidate();
session = null;
session = request.getSession(true);
}
session.setAttribute("username", username );
session.setAttribute("password", password );
//setup any additional vars
response.sendRedirect("index.jsp");
}
else
{
// invalid auth
response.sendRedirect("login.jsp");
}
web.xml-------------------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>Testing</web-resource-name>
<url-pattern>/authentication/east.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>EAST</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Testing</web-resource-name>
<url-pattern>/courses</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Students</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/loginRouter.jsp</form-login-page>
<form-error-page>/authentication/error.jsp</form-error-page>
</form-login-config>
</login-config>
loginRouter.jsp page----------------------------------
<%@ page import = "java.net.*" %>
<%
if(session.getAttribute("username") != null && session.getAttribute("password") != null && request.getUserPrincipal() == null)
{
String username = (String)session.getAttribute("username");
String password = (String)session.getAttribute("password");
response.sendRedirect("j_security_check?j_username=" + URLEncoder.encode(username) +"&j_password=" + URLEncoder.encode(password));
}

%>
--------------------------------------------------
Within the servlet, the LDAPActor is an API I wrote to talk to LDAP. The login form is an include on home, secondary, or login page[not on loginRouter.jsp]. loginRouter.jsp is used as a redirection page. After the action, the username/password are kept in session but the user has not had to access a protected resource(PR). But the first time they try to attempt access a PR then they are sent to the loginRouter.jsp. Then, the router sends an authentication call. If valid they are sent to the PR they requested.
So in essence, the code lets the user save their username/password in session till when the system actually needs it.
[ February 07, 2002: Message edited by: Ray Lim ]
[ February 07, 2002: Message edited by: Ray Lim ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how to control redirect of j_servlet_check