This week's book giveaways are in the Refactoring and Agile forums.
We're giving away four copies each of Re-engineering Legacy Software and Docker in Action and have the authors on-line!
See this thread and this one for details.
Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Agile forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

j_security_check - How to pass parameters in the URL

 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have a web application, and I'm using j_security_check (JAAS).

I have a second Java desktop application that also uses JAAS (and using the same Login Module).

Both applications have the same users (principals & roles).
When I log in to each of them, the login process works fine.

Now, from the java desktop application I want to launch a web browser and open my web application.
I don't want to get to the login page, since the user was already authenticated & authorized when he logged in to the java application.

So I'm trying to pass the user name & password to the j_security_check via the URL.
My URL is:


But I get an exception:

HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser


The strange thing is, that if I open a browser with the URL of the login page (http://localhost:8080/EM/), and then change the URL to the above one (with the username & password), it all works fine. The user is authenticated & authorized.

What am I doing wrong, and how can I fix the problem?

Thanks,
Efrat
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think the folks in the Servlets forum might know more about this, so I'm moving the thread to that forum.
 
Jeffrey Spaulding
Ranch Hand
Posts: 149
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't know what the check does - but passing the password as a GET parameter is considered extremely unsafe - maybe the check simply shares my view here and sends a 408 to prevent this technique.
 
Durgaprasad
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
when you first make a request to the protected resource, the container will not be knowing whether it is protected or not. Once it comes to know that the requested resource is protected (by looking at the DD), it will send the response asking for the username and password. So if you type the url directly that means you are requesting for that page itself, which will not be served by the container at any cost
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Durgaprasad,
Welcome to JavaRanch!

We're pleased to have you here with us in the servlets forum, but there
are a few rules that need to be followed, and one is that proper names are
required. Please take a look at the
JavaRanch Naming Policy and
adjust your display name to match it.

In particular, your display name must be a first and a last name separated by a space character, and must not be obviously fictitious.

You can change it here
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic