Version 13

    In JBoss Portal 2.4, the data has to be stored in the session rather than in the request


    You can store the username and password in the session using an intermediate Servlet, then you could redirect to the login jsp. Here is an example:


    the form looks like :


       <form enctype='application/x-www-form-urlencoded' method='post' action='savelogin'>      <input type='text' name='username'>      <input type='password' name='password'>      <input type='submit' value='login'>    </form>


    on savelogin the servlet does :


    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {    String username = req.getParameter("username");    String password = req.getParameter("password");    req.getSession().setAttribute("username", username);    req.getSession().setAttribute("password", password);    String autologinURL = req.getContextPath() + "/auth/";    resp.sendRedirect(resp.encodeRedirectURL(autologinURL)); }


    and in the auto login servlet :


       String username = req.getParameter("username");    String password = req.getParameter("password");    if (username == null && password == null)    {       username = (String)req.getSession().getAttribute("username");       password = (String)req.getSession().getAttribute("password");    }    String url = "j_security_check?j_username=" + username + "&j_password=" + password;    url = resp.encodeRedirectURL(url);    resp.sendRedirect(url);


    of course this example must be adapted to what exists below in this wiki.


    and there are no guarantees that it will work with other versions as the container could decide to not expose the http session in the login servlet/jsp.


    So you should be aware of the container changes in the future that could effect this code also!



    For JBoss Portal 2.2 - Hack submitted by User and JBoss does not gurantee it works!


    Most of the times when we have our own portal app, we would like to be able to login from one of our portlet's using already existing JBoss Portal authentification capabilities.


    This is how it can be done.


    In my login portlet I have the following html form definition:


                <form id="login-form" name="loginform" action="/portal/auth/enlogin" method="post">
                    <input type="text" name="username" />
                    <input type="password" name="password" />
                    <input type="image" src="/img/button-login.gif" />



    The only important thing here is action path. It must be in the form of '/' - it must match portal's security constraint path defined in web.xml in portal-server.war.


    Now we must also change portal's login jsp page - that's the page web container (in our case Tomcat) automatically redirect's us when we are not logged in (see login-config in previously mentioned web.xml) and want to access restricted path.


         String username = request.getParameter("username"); 
         System.out.println("Username: " + username);
         String password = request.getParameter("password"); 
         if (username != null && password != null) { 
                 String url = "j_security_check?j_username=" + username + "&j_password=" + password; 
                 String redirectUrl = response.encodeRedirectURL(url); 


    Add this to the begining (just after imports) of login.jsp page.


    This worked for me.


    The only thing that I have problems with now is when I have lazy loaded objects, it looks like there is no underlaying transaction going on as before (no transactionFilter propagation?), so I get a lazyloading exception when I submit an illegal username/password. If I submit valid username/password, everything is ok.


    Julien, what's the catch here?


    I removed transactionFilter from web.xml and added transaction interceptor from JBP2.2 into jboss-container.xml.


    public class TransactionInterceptor implements Interceptor {
        private TransactionManager tm;
        public Object invoke(final Invocation invocation) {
            Transaction oldTx = null;
            try {
                oldTx = Transactions.applyBefore(Transactions.TYPE_REQUIRED, getTransactionManager());
                return invocation.invokeNext();
            } catch (Exception e) {
                throw new RuntimeException(e);
            } finally {
                try {
                    Transactions.applyAfter(Transactions.TYPE_REQUIRED, getTransactionManager(), oldTx);
                } catch (Exception e) {
        private TransactionManager getTransactionManager() throws NamingException {
            if (tm == null) {
                Context ctx = new InitialContext();
                try {
                    tm = (TransactionManager)ctx.lookup("java:/TransactionManager");
                } finally {
            return tm;


    So the lazy loading issue is now OK.


    The only thing that bothers me is that with illegal login I see what the user typed in - as a URL.


    Rgds, Ales