-
1. Re: j_security_check
chgrimm Oct 11, 2002 3:31 AM (in response to berkgypsy)j_security_check is nothing jboss-specific
you run into the same kind of problems with standalone web-containers like e.g tomcat.
it has also nothing to do with the use of jaas.
jaas is just jboss' way ( and other vendors also do so or will follow ) to handle htis login event.
that means, you write your login code in form of a jass LoginModule implementation or use one provided by the jboss distro.
now to the back button problem and the problem of accessing the login page directly:
our workarround is to run the whole we application in a browser window without navigation and menu bar.
you can do this via the window.open javascript command.
Christoph -
2. Re: j_security_check
berkgypsy Oct 11, 2002 12:13 PM (in response to berkgypsy)OK, so if I want to use the DatabaseServerLoginModule, what is a good way to handle login/logout for web applications? The only thing I can think of is storing the LoginContext in the session and accessing it in each servlet, but that's certainly not as clean as doing it with j_security_check, where I was under the impression that JAAS is just working under the hood for you. How do I emulate that behavior?
Thanks so much,
Emily -
3. Re: j_security_check
chgrimm Oct 11, 2002 2:59 PM (in response to berkgypsy)to trigger a login:
start with a page in a non restricted area.
have a link or button to an other page in a secured area
( see servlet spec for details )
the servlet container will trigger display of your login page and after successfull login it will show the page in the secured area that you pointed to.
to trigger logout:
have a link or a button to a jsp page in the non restricted area.
do a session.invalidate() at the end of this jsp.page
Christoph -
4. Re: j_security_check
berkgypsy Oct 11, 2002 3:20 PM (in response to berkgypsy)But what if someone bookmarks your login page and tries to login directly? Won't this cause problems since there is nowhere to redirect the user once they are authenticated (You will get a status 400 - invalid direct reference to form login page). It seems to me there should be a default redirect page that one should be able to specify so that people can directly login.
Emily -
5. Re: j_security_check
chgrimm Oct 11, 2002 3:37 PM (in response to berkgypsy)as i already said:
a possilbe solution is to run the web-application in a browser window without navigation and menu bar.
therefore you need a start page that opens an other page via java-script "window.open"
the really mad ones among your users might still try to bookmark the login page via some hotkey, but i think we can live with that. -
6. Re: j_security_check
berkgypsy Oct 14, 2002 7:46 PM (in response to berkgypsy)This is the hack I came up with, if anyone is interested
My login.jsp, which is my <form-login-page> starts like this:
<%
String temp = null;
if(session != null){
temp = (String)session.getAttribute("beenForwarded");
session.removeAttribute("beenForwarded");
}
if(temp != null && temp.equals("true")){
//display this page
}else{
//redirect to a home page for authenticated users
session.setAttribute("beenForwarded", "true");
response.sendRedirect("/restricted/success.jsp");
%>
This allows users to directly access the login.jsp page, for instance if they bookmark it. If they do this, the "beenForwarded" flag has not been set so they are immediately forwarded to /restricted/success.jsp, which as you may guess is a restricted page, so the web container will proceed with the form login process as usual. -
7. Re: j_security_check
berkgypsy Oct 14, 2002 7:50 PM (in response to berkgypsy)my previous post is not showing up, so I am trying again:
This is the hack I came up with, if anyone is interested
My login.jsp, which is my <form-login-page> starts like this:
String temp = null;
if(session != null){
temp = (String)session.getAttribute("beenForwarded");
session.removeAttribute("beenForwarded");
}
if(temp != null && temp.equals("true")){
//display this page
}else{
//redirect to a home page for authenticated users
session.setAttribute("beenForwarded", "true");
response.sendRedirect("/restricted/success.jsp");
This allows users to directly access the login.jsp page, for instance if they bookmark it. If they do this, the "beenForwarded" flag has not been set so they are immediately forwarded to /restricted/success.jsp, which as you may guess is a restricted page, so the web container will proceed with the form login process as usual. -
8. Re: j_security_check
bleupen Oct 15, 2002 1:44 PM (in response to berkgypsy)here's what we do:
1. put everything in a secured area, including the first page that a user should see upon logging in.
2. make the root "index.jsp" page nothing more than a one-liner that forwards the request to the "jumping off page" in the secured area.
3. rely on the servlet container to display the login screen.
This has a number of positive effects, including preventing people from bookmarking the login page and handling page timeouts elegantly (even if the timeout happens on a form submission)
-b