j_security_check - How to pass parameters in the URL
Joined: Jan 19, 2006
I have a web application, and I'm using j_security_check (JAAS).
I have a second Java desktop application that also uses JAAS (and using the same Login Module).
Both applications have the same users (principals & roles). When I log in to each of them, the login process works fine.
Now, from the java desktop application I want to launch a web browser and open my web application. I don't want to get to the login page, since the user was already authenticated & authorized when he logged in to the java application.
So I'm trying to pass the user name & password to the j_security_check via the URL. My URL is:
But I get an exception:
HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser
The strange thing is, that if I open a browser with the URL of the login page (http://localhost:8080/EM/), and then change the URL to the above one (with the username & password), it all works fine. The user is authenticated & authorized.
What am I doing wrong, and how can I fix the problem?
Joined: Mar 22, 2005
I think the folks in the Servlets forum might know more about this, so I'm moving the thread to that forum.
I don't know what the check does - but passing the password as a GET parameter is considered extremely unsafe - maybe the check simply shares my view here and sends a 408 to prevent this technique.
Joined: Oct 02, 2006
when you first make a request to the protected resource, the container will not be knowing whether it is protected or not. Once it comes to know that the requested resource is protected (by looking at the DD), it will send the response asking for the username and password. So if you type the url directly that means you are requesting for that page itself, which will not be served by the container at any cost
We're pleased to have you here with us in the servlets forum, but there are a few rules that need to be followed, and one is that proper names are required. Please take a look at the JavaRanch Naming Policy and adjust your display name to match it.
In particular, your display name must be a first and a last name separated by a space character, and must not be obviously fictitious.