Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JEE container based security

 
mallareddy gamannagari
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi all,
here, i want to use JEE container based security for my application. Here i have configured realm in tomcat and in my application and validating user and role succeeded but the problem is i'm not getting how to redirect to my home page after completion of j_security_check

in my page i'm getting fallowing error
in url:::::::::http://localhost:9999/HMS/j_security_check
in webpage:::::::
HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser


please helm me anyone
thanks to advance all...... :rolleyes
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18009
47
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Container security is totally transparent. When a user requests a protected URL and is not logged in, the container (Tomcat) takes over, putting the original request on hold, sending out the login page and processing the results (userid/password). Once the user has validated, Tomcat then takes the original request off hold and continues processing as though login had never been requested.

There is no such thing as a login event or anything similar in container security. The security mechanism is a general mechanism and therefore must be able to handle situations where the user was already validated before making requests to the webapp. For example, in a single-signon environment.

It's also rather rude to hijack a request and send it somewhere else just because a login was forced. I happen to like sites where I can bookmark often-used URLs, regardless of whether those URLs are secured URLs or not.

However, for those who insist on forcing a request to be abandoned in favor of a post-login "home" page, there is a trick you can use. Create a servlet filter. Make it check incoming requests. If there is no session, create one and store the HttpServletRequest getRemoteUser value (or obtain userId from UserPrincipal). If the session already existed, check to see if the previously stored userId is null, if there was no session, act as though the previously stored userId was null. If the previously stored userId was null AND the current request userId is NOT null, the user has just logged in, so redirect the incoming URL request to go to your "home" page.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic