This week's book giveaway is in the Jobs Discussion forum.
We're giving away four copies of Java Interview Guide and have Anthony DePalma on-line!
See this thread for details.
The moose likes Tomcat and the fly likes j_security_check not working with flash Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "j_security_check not working with flash" Watch "j_security_check not working with flash" New topic

j_security_check not working with flash

bill Papadopoulos

Joined: Dec 21, 2009
Posts: 7

I have a problem authenticating my users with j_security_check interworking with a flash on my login.jsp page.

Here is how things go:

I use j_security_check method to authenticate my users.
As a result, I have assigned a login.jsp page where I have a login form and at the top of the page a menu developed with flash:

..::1 - Login Form::..
<form method='POST' action='j_security_check'>
Username:<input type='text' name='j_username'><br>
Password:<input type='password' name='j_password'><br>
<input type='submit' value='Log In'>

..::2 - Menu Flash::..
<embed src="testMenu.swf"

When the user is prompt to login, then inserts the correct username - password.
But after submit, the authentication method fails and the error page appears from Tomcat:

HTTP Status 404 - /...../j_security_check
type Status report
message /...../j_security_check
description The requested resource (/...../j_security_check) is not available.

Then I simply remove my flash menu and the whole login procedure of the user is performed correctly!!!
This means that flash caused the error in this page!!!

Is there a way I can have in my login.jsp page my flash menu and perform the login successfully?

Thanks in Advance for the answer,
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17423

You cannot call j_security_check directly and expect it to work. That mechanism belongs to the application server (Tomcat), and the required context only exists when Tomcat itself feels the need to present the login page. That is, when you submit a security-restricted URL (as defiend in web.xml).

I heartily discourage putting any sort of menu on a login page. The act of selecting from a menu is also the act of sending a web request, which means that the user is attempting to short-circuit the login, since you can't do 2 submits at the same time (menu and login form). So, if you'd actually succeeded, you'd have an insecure application where people could hack their way past the login. Though that would also indicate a security bug in Tomcat, and no such bug is known to exist, so either you'd have access denied or the menu operation would not be performed, depending on how you coded the page.

An IDE is no substitute for an Intelligent Developer.
bill Papadopoulos

Joined: Dec 21, 2009
Posts: 7

First, I would like to thank you for your suggestions.

Sooner or later a bacame to understand that the "error" that occurs in my web app about jsp pages that contain flash (not necessary flash menu, but also some other flash files in order to make "nicer" my web app) really causes wayward behavior in those jsp pages.

But later, from another persons advice, I realized that this happens when flash files are included into protected folders.
Then, I removed those flash files out of the protected folder, and everything worked OK.

Thank you again for the advice about security on my web app!

Best Regards,
Vasilis Papadopoulos.
I agree. Here's the link:
subject: j_security_check not working with flash
It's not a secret anymore!