aspose file tools*
The moose likes Tomcat and the fly likes authentication with out using j_security_check Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "authentication with out using j_security_check" Watch "authentication with out using j_security_check" New topic
Author

authentication with out using j_security_check

Jeremy Wilkinson
Greenhorn

Joined: Mar 31, 2010
Posts: 13
I want to authenticate a user after they register on my site with out having to send them to a login page. Is there a way to take the user id and password from my registration form and use that to authenticate the user instead of using the j_security_check action.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16061
    
  21

No (or not with the standard Realms, anyway), and I meditated on that for a long time when I first realized that.

However, there's a good reason to force login after registration. Two of them, actually, although I suspect there's more if one has to do with especially evil-minded hackers.

1. Forcing an explicit login ensures that the user entered the correct credentials. Otherwise you'd create an account, do your thing and come back in a week or 2 (YMMV) and not be able to login again because you'd botched something and didn't know about it. If you get an immediate usage of the login, you're more likely to be in a position to correct it, especially if you were already in contact with a support person.

2. By forcing an immediate login, the system helps cement the new credentials into the user's head. Memory reinforcement by repetition. Your desktop support people will probably be grateful, and speaking as a user, I've decided that it's actually kind of helpful, since I do frequently end up cooking up IDs and passwords off the top of my head.

In other words, it may be more inconvenient, but it's likely to reduce support issues. And it's not a lot inconvenient, when all's said and done.

Incidentally, in container-managed security, you don't "send" a user to a login page. Container-managed security secures application pages. If a page requires an authenticated user, it will front that page with a login demand. If the page doesn't require an authenticated user, it won't.

This is where a lot of the DIY systems fail. They assume that the only way a user will get to a page is via the approved route.


Customer surveys are for companies who didn't pay proper attention to begin with.
Jeremy Wilkinson
Greenhorn

Joined: Mar 31, 2010
Posts: 13
Thanks for the info. I will keep it the way it is which is requiring users to login after they complete the registration process.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: authentication with out using j_security_check