1 Reply Latest reply on Oct 7, 2002 2:47 AM by chgrimm

    FORM authentication WITHOUT j_security_check - doesn't work!

    richardberger
    richardberger Oct 7, 2002 1:24 AM

      (Forget all my other questions - it boils down to this one). I implemented FORM authentication and on my form, I do NOT use j_security_check (wanting a little more control over what happens). By capturing the information on the form, I am able to authenticate the users via JAAS and get their role information - however, even after the user is authenticated, the security defined in web.xml does NOT work (e.g. without using j_security_check, the web container does not appear to know what role the authenticated user is in).

      If, instead of using my own form, I use a j_security_check based form, then the web container knows what is going on.

      Am I hallucinating here or is JAAS authentication unknown to the web container (and all the security mechanisms in web.xml) if j_security_check is NOT used? Is this considered a bug - or a design feature.

      Thanks much in advance,
      RB

      • 2426 Views
      • Tags:
        • 1. Re: FORM authentication WITHOUT j_security_check - doesn't w
          chgrimm
          chgrimm Oct 7, 2002 2:47 AM (in response to richardberger)

          from the servlet 2.3 spec: "In order for the authentication to proceed appropriately, the action of the login
          form must always be j_security_check."

          if you use an other form action instead, authentication simply does not happen.

          this behaviour is the same for all web-containers, e.g. also for tomcat standalone, which has it's own realm implementation and does not make use of jaas.

            • Actions