aspose file tools*
The moose likes Security and the fly likes can I have two login page using form-based authentication? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "can I have two login page using form-based authentication?" Watch "can I have two login page using form-based authentication?" New topic
Author

can I have two login page using form-based authentication?

alex chow
Greenhorn

Joined: Jan 15, 2011
Posts: 3
Hi there,
I have a very common scenario where user can input username and password from home page and be brought to the protected page. yes. that's it.
and I could not make it happen using form-based authentication.
you specify the login page (any attempt to visit the protected resources will be redirected to the login page configured in web.xml) . and here is a typical one looks like in web.xml:

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

All right. now we have two login pages. home page and the one specified in the web.xml.
If I login in with the home page (action of the form point to a protected resource) . I will be still taken to the configured login page. and you will login twice before you get where you wanted!!
Ok, how about just configure the home page as login page, like
<form-login-page>/home.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
No. as you know, you must specify the form action called j_security_check. and if you try to login with the above configuration.
you will get error complaining that it doesn't know where to go next.

BTW, I even tried using request.getParameter("username") in the login.jsp page to try to get the post data that I 've submitted in home page. and you get null.
any help is highly appreciated !!!
Goutham Pallipati
Greenhorn

Joined: Aug 13, 2008
Posts: 20
you can use any jsp file as login page in form based authentication. Remember this is the page to which user will be redirected in case of session expiry or in case anyone tries to access the pages within web application according to security constraints defined.

Hope this helps.
alex chow
Greenhorn

Joined: Jan 15, 2011
Posts: 3
thanks for the quick reply, but as I mentioned in the starting thread:
"Ok, how about just configure the home page as login page, like
<form-login-page>/home.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
No. as you know, you must specify the form action called j_security_check. and if you try to login with the above configuration.
you will get error complaining that it doesn't know where to go next. "

could you just tell me how to create your own login page without being redirected to the configured login page or if the login page is the configured login page,
you can name your own action other than "j_security_check", so far as I know, you simply can't, and this is the limitation for j2ee web tie security.
Goutham Pallipati
Greenhorn

Joined: Aug 13, 2008
Posts: 20
You can not mix up things.

Either you use Form Based Authentication (You can design your own login page still and configure, but only one login page per application) or you design your own security and authentication mechanism.

The Access Control to Resources is set using <security-constraint> if your web application is properly organized then you can omit some or all resource from security.(When they are accessed you wont be kicked back to the login page)

Check this link. http://java.dzone.com/articles/understanding-web-security

The main aim behind Form Based Authentication is to check for whether user is active or not when accessing a resource within web application. Previously this was achieved by writing filters and checking for session and roles on access of resource. Now this has been made simple and user need not code for security checks.
alex chow
Greenhorn

Joined: Jan 15, 2011
Posts: 3
okay, so, I can't have two login pages using form-based authentication.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: can I have two login page using form-based authentication?
 
Similar Threads
2 times login required?
3 fiels form based login authentication in Tomcat
How to specify j_uri
how to redirect to success page in tomcat using its lapd configuration
How does the "j_security_check" work?