tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tõnu Põld <>
Subject RE: AutoLogon J_Security_Check
Date Fri, 04 May 2001 08:38:06 GMT

I have done similar logon with JSP in Tomcat.
In my case I use form based login, and I need a separate login page.
After successful login the user must be redirected to default page.
It couldn't be achieved with Tomcat (3.2.1) login mechanism, because the
login page is returned after user have made a request for a restricted page.
Also, after login the user is redirected to the same page he/she requested.
It couldn't also be achieved by making the request from a separate login
page directly to j_security_check, because in this case the user is
redirected to /catalog/null page, which doesn't exist.

So what I did was:
1. A static html login page. The page has form with fields "j_password" and
2. For processing the request submitted from this static login page I made a
page "loginredirect.jsp"
3. In loginredirect.jsp page I take the request parameters "j_password" and
"j_username" and dispatch the login request to the j_security_check resource
for user audenthication/authorization.
4. After dispatching I redirect user to the default page, which is also
restricted page. Now if the login succeeded the default page is returned to
the user.

My loginredirect page looks:
<%-- Set autoflush to false to prevent the premature response --%>
<%@ page autoFlush="false" %>
 // this page is restricted with "security-constraint" in web.xml
 String path = "/catalog/default.jsp";

 // redirect the page to default location, but first audenthicate the user
 response.setStatus(302, "Found");
 response.setHeader("Location", path);

 // Here I call the j_security_check to audenthicate and authorize the user 
 // The dispatched request can't set any response attributes, but it saves 
 //  audenthication parameters in session
 RequestDispatcher rd = application.getRequestDispatcher(
 rd.include(request, response);

 // Here we discard the output that was written in j_security_check 
 // This doesn't work in Tomcat 3.2.1 ???
 if (!response.isCommitted()) {

 // If authorization succeeded, then the j_security_check added the
 // attributes into request session. Now we redirect the request to default
 // page.
<title>Document moved</title>
<h1>Document moved</h1>
This document has moved <a href="<%= path.toString() %>">here</a>.
<% out.flush(); %>


> -----Original Message-----
> From: Warren Crossing 
> Sent: Friday, May 04, 2001 7:09 AM
> To: ''
> Subject: AutoLogon J_Security_Check
> hey all, 
> i'm about to build a servlet class component that proactively &
> automatically ( without being prompted ) logs the user into 
> servlet security
> and bypasses a browser request for j_security_check..
> i plan to achieve this by using;
> a static html page with a form on it
> a known dummy protected page to trigger the j_security_check 
> response.. 
> a servlet class to receive the request
> spoof the browser request to request dummy page,
> log the user in trick =) repsond with j_user_name & j_password.
> and getRequestDispatcher().forward to the target page..
> i know its a little more tricky than this & so i'll ask if anyone is
> interesed in the outcome.. or attempted this before with 
> tomcat. i've done a
> similar thing with weblogic servlet security.  and this 
> functionality is
> desireable to when merging my web portal into a web page 
> interface.. but i
> know its bad for guaranteed security.
> regards,
> warren.

View raw message