aspose file tools*
The moose likes Servlets and the fly likes j_security_check 'next' page? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "j_security_check Watch "j_security_check New topic
Author

j_security_check 'next' page?

doug parker
Ranch Hand

Joined: Oct 26, 2004
Posts: 30
if you access a secured url and are not authenticated, you get sent to the specified login page. once you log in, it takes you where you wanted to go earlier. is there a way to specify the next page to go to after login with j_security_check? btw, i am using tomcat.

as an example, i have a login form on my welcome page and after the user authenticates he is sent to his personalized page. how do you do this with j_security_check ? I am seeing:
Invalid direct reference to form login page
Vishnu Prakash
Ranch Hand

Joined: Nov 15, 2004
Posts: 1026
Form Based Authentication


Servlet Spec 2.4/ Jsp Spec 2.0/ JSTL Spec 1.1 - JSTL Tag Documentation
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

It's a nice link but I don't thiunk it answers the question.

When the user requests a secured resource, the container detects this. It the remembers the original page and sends you to the specified login page. After successfully logging in, the container looks at the original request and sends the user there. This should come as no surprise to you so far.

The part you're looking for is where the container remembers the original request and then uses this value later on once the user logs in. If you can find out how this works, you can piggy back the mechanism for your own use.

Unfortunately I don't have anything available to test this myself, but there are limitted places the information can be stored, so I would start like this:

Define your login page as login.jsp and register this with Tomcat. Add extra code in the JSP to look at all of the cookies and Session values and dump them to the page. As long as you find the information you're looking for, you can then look at ways to set this value yourself when a user logs in and does not already have a redirect location defined.

This is still not quite answer, since you may not be able to define at that stage exactly which 'user home' you should be sending to. One solution to detect the forward location, if this location is not set or not valid (due to security reasons) set it to some default secured location, such as /users/index.jsp

Once the user has logged in and finally gets to this page, you now have all the information you need to find their user name, find their home location and do a sendRedirect() to the correct location.

Hope this helps. I haven't done this before although I've considered it several times. Tell me how you get along.

Dave.
Vishnu Prakash
Ranch Hand

Joined: Nov 15, 2004
Posts: 1026

The part you're looking for is where the container remembers the original request and then uses this value later on once the user logs in. If you can find out how this works, you can piggy back the mechanism for your own use.


I think this can help you.

Live Http Headers.

I tried Form Based Authentication.

When a request is made for a constrained resource and if we had configured Form Based Authentication(or) any other type of Authentication we are supposed to get a 401 Unauthorized response from container first.

But surprisingly I got a 200 OK response


Bosun Bello
Ranch Hand

Joined: Nov 06, 2000
Posts: 1510
The user has not logged in and they get a 200 OK as the response? AFAIK, if the user has not been authenticated, and makes a request for a constrained resource, and form-based authentication is being used, they should get a 401 unauthorized access response. May be the experts in the forum can shed some more light on it.


Bosun (SCJP, SCWCD)
So much trouble in the world -- Bob Marley
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14688
    
  16

I do get a 401(SC_UNAUTHORIZED) status in my http header.
I'm using Tomcat 5.5.
You can configure Tomcat to dump the HTTP headers.
In server.xml, uncomment the following line :
<Valve className="org.apache.catalina.valves.RequestDumperValve"/>

You can check header information in logs/catalina.YYYY-MM-DD.log

I used BASIC authentication, and got :



[My Blog]
All roads lead to JavaRanch
Vishnu Prakash
Ranch Hand

Joined: Nov 15, 2004
Posts: 1026

I used BASIC authentication, and got :


Try with Form Based Authentication. You will get 200 Ok and NOT 401 UnAuthorized
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14688
    
  16


When a request is made for a constrained resource and if we had configured Form Based Authentication(or) any other type of Authentication we are supposed to get a 401 Unauthorized response from container first.


Sorry, being lazy I decided to try it on BASIC (you said 'or any other type')
Anyway, you're right. Form authentication returns 200.

Actually, the spec says, p94/p95:

SRV.12.5.3 Form Based Authentication
5. If authentication fails, the error page is returned using either a forward or a redirect, and the status code of the response is set to 200.

----------------

I searched a bit more deeply, in the HTTP RFCs.

14.47 WWW-Authenticate
The WWW-Authenticate response-header field MUST be included in 401 (Unauthorized) response messages. The field value consists of at least one challenge that indicates the authentication scheme(s) and parameters applicable to the Request-URI.

Possible values are described in "HTTP Authentication: Basic and Digest Access Authentication, RFC 2617"
For Basic, "Basic".
For Digest, "Digest".

There is no "Form" values for WWW-Authenticate,
so I guess that 401 is not a valid return error code when using Form Authentication. That's why another code is returned in this case.
[ December 26, 2005: Message edited by: Satou kurinosuke ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: j_security_check 'next' page?