dcsimg
A set of related queries on web tier security using form based login (j_security_check)
3 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Krishna_Kumar
Posted On:   Wednesday, December 18, 2002 07:23 AM

I am using form based login for providing authenticated access to a web application. But I am having a set of problems which has made the application 'user-unfriendly'. (1) Users can 'register' themselves at the site. Now after successful registration, I would like to log them in automatically. I have tried all combinations of RequestDispatcher.include()/forward() for "j_security_check?j_username=...&j_password=..." in different contexts but that does not seem to work. How do I programmatically simulate a form-based login? (The only way I could think of was that the registration script sets up some session variables and redirects the user to a protected page, on success. The web server will now redirect the user (again!) to a lo   More>>

I am using form based login for providing authenticated access to a web application. But I am having a set of problems which has made the application 'user-unfriendly'.



(1) Users can 'register' themselves at the site. Now after successful registration, I would like to log them in automatically. I have tried all combinations of RequestDispatcher.include()/forward() for "j_security_check?j_username=...&j_password=..." in different contexts but that does not seem to work. How do I programmatically simulate a form-based login? (The only way I could think of was that the registration script sets up some session variables and redirects the user to a protected page, on success. The web server will now redirect the user (again!) to a login page and this page can look for the session variables and build itself with a pre-populated form so that a onload() javascript will cause a submit and hence do the login. This sounds way too complicated for a typical requirement!)



(2) How do I do some initialization after successful login? I want to setup some user preferences once they are logged in. This I can do, if they use the "login" link always, as I can point the login link to a protected script which will be executed after the successful login and hence can do the initialization. But this will now work if the users type a (different) protected page URL in the address bar, or use the browser history to go a protected page or have bookmarks to a protected page. In these cases, the webserver takes them to the attempted url after successful login without a 'hook' for any postprocessing. Again, I can probably do this with a filter which checks whether a user is currently logged in and if yes, a session variable which indicates whether the session has been initialized, but is there a simpler method?


   <<Less

Q: How do I do some initialization after successful login?

Posted By:   Alex_Chaffee  
Posted On:   Tuesday, December 31, 2002 06:34 AM

Q: How do I do some initialization after successful login?


A: Other than filters, I don't know of any hooks for doing this elegantly, but don't be afraid of lazy initialization. It's possible to do this fairly cleanly as follows:


Make a servlet called "BaseServlet" that extends HttpServlet; make all your servlets extend this one. Put code like this in BaseServlet's service() method:


HttpSession session = request.getSession(session);
if (isLoggedIn(session)) {
if (!isInitialized(session)) {
initializeSession(session);
}
}
super.service();

(with appropriate implementations for those methods inside BaseServlet, of course).

Re: A set of related queries on web tier security using form based login (j_security_check)

Posted By:   Alex_Chaffee  
Posted On:   Tuesday, December 31, 2002 06:26 AM

Q: How to programmatically login users using form-based authentication?


A: Did you try sending a redirect to the j_security_check URI? That will cause the browser to send the request, which should look exactly as if the user entered the values in him/herself.


Please try response.sendRedirect("j_security_check?j_username=user&j_password=secret"); and let us know how that worked.

Re: A set of related queries on web tier security using form based login (j_security_check)

Posted By:   Jeff_Hubbach  
Posted On:   Wednesday, December 18, 2002 09:19 AM

to answer 1), in some app servers there is a way to programmatically log them in. We've done this successfully in Orion, but haven't found out a way to do it in Tomcat as of yet. Basically, the login manager, or user manager, or whatever it's called that does the authentication needs to be accessible through JNDI, then you can look it up and log them in, then forward them on to the protected page.


to answer 2), the filter method would work. Another method would be to write your own login manager, or user manager, or whatever your app server calls it, that does the initialization you are asking for. We did something similar to this in Orion, haven't tried it in Tomcat yet.
About | Sitemap | Contact