RE: Direct call to j_security_check when using form based authori zati on
Thank you for your answer. I understand what you mean, but I am afraid I did not specify my problem enough. I would like to have a login form (fast login) on my public page where a visitor can directly insert username and password. When the client press the login button I would like to send him to the correct page (which is restricted) without forcing him to visit the login.jsp (the page specified as form-login-page in the web.xml). This seems natural since he has already added his login data once. If the client is trying to access a restricted page without using the fast login, then it is of course desirable that the container intercepts the call and shows the login form. What I have tried to do is to attache the username and the password in the http-parameter list (with post) when directing the user from the fast login form to a restricted area, and then to automatically forward the call to the j_security_check from the login.jsp if a password and a username is attached to the http-parameter list. The problem is that the Orion web-server does not accept the direct call to the j_security_check. Does anyone have any ideas about how to solve this problem? Below you´ll find my test login.jsp and the error message from the web-browser. Best regards, Erik login.jsp : html headtitleTest System/title/head body bgcolor=white %! private String username; private String password; public void jspInit() { //System.out.println(Running init...); } public void jspDestroy() { } % % username = request.getParameter(username); password = request.getParameter(password); String j_username = username; String j_password = password; % jsp:forward page=%= j_security_check;j_username= + java.net.URLEncoder.encode(j_username) + j_password= + java.net.URLEncoder.encode(j_password) % / /body /html - Error message from web-browser : -- java.lang.IllegalArgumentException: Resource /j_security_check;j_username=pellej_password=pelle123 not found at com.evermind[Orion/1.5.2 (build 10460)].server.http.EvermindPageContext.forward(Unknown Source) at /login.jsp._jspService(/login.jsp.java:49) at com.orionserver[Orion/1.5.2 (build 10460)].http.OrionHttpJspPage.service(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._ah._rad(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)].server.http.JSPServlet.service(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._cxb._abe(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._cxb._uec(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._cxb.forward(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._ctb.reject(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._ah._fod(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._ah._cwc(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._io._twc(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._io._gc(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._if.run(Unknown Source) -Original Message- From: Douma, Ate [mailto:[EMAIL PROTECTED]] Sent: den 18 februari 2002 12:26 To: Orion-Interest Subject: RE: Direct call to j_security_check when using form based authori zati on Define an secure url (e.g. /secure/requestedLogin) which forces the user to login (just as you described) and request it from a button or link on the public page you want. When the user isn't logged in yet the servlet container will intercept the request and force the user to login remembering the requested url and redirects the user to this original url after login. From the destination page (your secure url) you can send a client side redirect to the original (public) page or somewhere else (secure or non-secure). -Original Message- From: Erik Johansson [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 10:39 AM To: Orion-Interest Subject: Direct call to j_security_check when using form based authorizati on I am using form based authentication in my application. When trying to access a protected resource, the container automatically prompts the login form to the user, where he can fill in authentication info (username and password). Code from login.jsp: form method=POST action=j_security_check input type=text name=j_username input type=password name=j_password /form Here the Servlet-specification dictates that the action to be called from the login form must be j_security_check
RE: Direct call to j_security_check when using form based authori zati on
Erik: Try changing your snippet below to... jsp:forward page=%= j_security_check?j_username= + java.net.URLEncoder.encode(j_username) + j_password= + java.net.URLEncoder.encode(j_password) % / THE PROBLEM -- Notice the ? rather than the ; before the first parameter; the ? identifies the start of the query string and the ; is being interpreted as part of the servlet mapping (i.e. /j_security_check; rather than just j_security_check). If that doesn't work, try putting the username/password into request attributes when you submit from the public page and retrieve them in your login.jsp page to use as values for the form fields, and if those parameter values exist, auto-submit the login.jsp page. This will still pop-up the login.jsp when you try to get a restricted resource directly, but also allow you to login from various external locations. Hope that helps... Jason Coward TRM Software Developer Mongoose Technology, Incorporated [EMAIL PROTECTED] http://www.mongoosetech.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Erik Johansson Sent: Monday, February 18, 2002 1:30 PM To: Orion-Interest Subject: RE: Direct call to j_security_check when using form based authori zati on Thank you for your answer. I understand what you mean, but I am afraid I did not specify my problem enough. I would like to have a login form (fast login) on my public page where a visitor can directly insert username and password. When the client press the login button I would like to send him to the correct page (which is restricted) without forcing him to visit the login.jsp (the page specified as form-login-page in the web.xml). This seems natural since he has already added his login data once. If the client is trying to access a restricted page without using the fast login, then it is of course desirable that the container intercepts the call and shows the login form. What I have tried to do is to attache the username and the password in the http-parameter list (with post) when directing the user from the fast login form to a restricted area, and then to automatically forward the call to the j_security_check from the login.jsp if a password and a username is attached to the http-parameter list. The problem is that the Orion web-server does not accept the direct call to the j_security_check. Does anyone have any ideas about how to solve this problem? Below you´ll find my test login.jsp and the error message from the web-browser. Best regards, Erik login.jsp : html headtitleTest System/title/head body bgcolor=white %! private String username; private String password; public void jspInit() //System.out.println(Running init...); } public void jspDestroy() } % % username = request.getParameter(username); password = request.getParameter(password); String j_username = username; String j_password = password; % jsp:forward page=%= j_security_check;j_username= + java.net.URLEncoder.encode(j_username) + j_password= + java.net.URLEncoder.encode(j_password) % / /body /html - Error message from web-browser : -- java.lang.IllegalArgumentException: Resource /j_security_check;j_username=pellej_password=pelle123 not found at com.evermind[Orion/1.5.2 (build 10460)].server.http.EvermindPageContext.forward(Unknown Source) at /login.jsp._jspService(/login.jsp.java:49) at com.orionserver[Orion/1.5.2 (build 10460)].http.OrionHttpJspPage.service(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._ah._rad(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)].server.http.JSPServlet.service(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._cxb._abe(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._cxb._uec(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._cxb.forward(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._ctb.reject(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._ah._fod(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._ah._cwc(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._io._twc(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._io._gc(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._if.run(Unknown Source) -Original Message- From: Douma, Ate [mailto:[EMAIL PROTECTED]] Sent: den 18 februari 2002 12:26 To: Orion-Interest Subject: RE: Direct call to j_security_check when using form based authori zati on Define an secure url (e.g. /secure