wood burning stoves
The moose likes Tomcat and the fly likes JEE container based security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "JEE container based security" Watch "JEE container based security" New topic

JEE container based security

mallareddy gamannagari

Joined: Dec 23, 2011
Posts: 3
hi all,
here, i want to use JEE container based security for my application. Here i have configured realm in tomcat and in my application and validating user and role succeeded but the problem is i'm not getting how to redirect to my home page after completion of j_security_check

in my page i'm getting fallowing error
in url:::::::::http://localhost:9999/HMS/j_security_check
in webpage:::::::
HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser

please helm me anyone
thanks to advance all...... :rolleyes
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17417

Container security is totally transparent. When a user requests a protected URL and is not logged in, the container (Tomcat) takes over, putting the original request on hold, sending out the login page and processing the results (userid/password). Once the user has validated, Tomcat then takes the original request off hold and continues processing as though login had never been requested.

There is no such thing as a login event or anything similar in container security. The security mechanism is a general mechanism and therefore must be able to handle situations where the user was already validated before making requests to the webapp. For example, in a single-signon environment.

It's also rather rude to hijack a request and send it somewhere else just because a login was forced. I happen to like sites where I can bookmark often-used URLs, regardless of whether those URLs are secured URLs or not.

However, for those who insist on forcing a request to be abandoned in favor of a post-login "home" page, there is a trick you can use. Create a servlet filter. Make it check incoming requests. If there is no session, create one and store the HttpServletRequest getRemoteUser value (or obtain userId from UserPrincipal). If the session already existed, check to see if the previously stored userId is null, if there was no session, act as though the previously stored userId was null. If the previously stored userId was null AND the current request userId is NOT null, the user has just logged in, so redirect the incoming URL request to go to your "home" page.

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link: http://aspose.com/file-tools
subject: JEE container based security
It's not a secret anymore!