aspose file tools*
The moose likes Servlets and the fly likes j_security_check - How to pass parameters  in the URL Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "j_security_check - How to pass parameters  in the URL" Watch "j_security_check - How to pass parameters  in the URL" New topic
Author

j_security_check - How to pass parameters in the URL

Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
Hi,

I have a web application, and I'm using j_security_check (JAAS).

I have a second Java desktop application that also uses JAAS (and using the same Login Module).

Both applications have the same users (principals & roles).
When I log in to each of them, the login process works fine.

Now, from the java desktop application I want to launch a web browser and open my web application.
I don't want to get to the login page, since the user was already authenticated & authorized when he logged in to the java application.

So I'm trying to pass the user name & password to the j_security_check via the URL.
My URL is:


But I get an exception:

HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser


The strange thing is, that if I open a browser with the URL of the login page (http://localhost:8080/EM/), and then change the URL to the above one (with the username & password), it all works fine. The user is authenticated & authorized.

What am I doing wrong, and how can I fix the problem?

Thanks,
Efrat
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42929
    
  68
I think the folks in the Servlets forum might know more about this, so I'm moving the thread to that forum.
Jeffrey Spaulding
Ranch Hand

Joined: Jan 15, 2004
Posts: 149
I don't know what the check does - but passing the password as a GET parameter is considered extremely unsafe - maybe the check simply shares my view here and sends a 408 to prevent this technique.
Durgaprasad
Greenhorn

Joined: Oct 02, 2006
Posts: 17
when you first make a request to the protected resource, the container will not be knowing whether it is protected or not. Once it comes to know that the requested resource is protected (by looking at the DD), it will send the response asking for the username and password. So if you type the url directly that means you are requesting for that page itself, which will not be served by the container at any cost
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Durgaprasad,
Welcome to JavaRanch!

We're pleased to have you here with us in the servlets forum, but there
are a few rules that need to be followed, and one is that proper names are
required. Please take a look at the
JavaRanch Naming Policy and
adjust your display name to match it.

In particular, your display name must be a first and a last name separated by a space character, and must not be obviously fictitious.

You can change it here


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: j_security_check - How to pass parameters in the URL